Upgrading Insecure Packages

G

gabriel

New member
Joined
Sep 9, 2005
Messages
4
Location
toronto, on
I manage a small cluster of FreeBSD machines by creating a package on a management server and then rsyncing the ports tree to each box in the cluster and running portupgrade remotely to update a package.

Unfortunately, last time i did this on our DirectAdmin box, (upgraded Perl) it gibbled the the DA install and i had to re-install everything.

At the moment, we have known vulnerabilities in a few packages (found thanks to portaudit) including proftpd which had to be disabled because of this hole.

What is the proper way to upgrade these packages to their secure version? Running a manual update with DirectAdmin's interface resulted in a "you already have the latest version" message which was less than helpful.
 
The maintainer of the vulnerable ports has to upgrade them and VUXML needs an update to reflect the changes.

Also, if you [need to] upgrade things like PERL be very sure you read /usr/ports/UPDATING. Its not possible to upgrade PERL just like that.

Code: 
20050624:
  AFFECTS: users of lang/perl5.8
  AUTHOR: [email][email protected][/email]

  lang/perl5.8 has been updated to 5.8.7.  You should update everything
  depending on perl.  The easiest way to do that is to use
  perl-after-upgrade script supplied with lang/perl5.8.  Please see
  its manual page for details.

Why do you disable already installed software because of Portaudit? Wait till it's been fixed or fix it yourself.
 
Last edited:
You must log in or register to reply here.
Back
Top