pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Managing vulnerable installed packages



I'm wondering if I'm managing my installed pkgsrc packages with security
vulnerabilities in the best way.  I updated my current-branch, ran
"pkg_admin fetch-pkg-vulnerabilities", and ran "pkg_admin audit".  I
upgraded the packages reported to contain vulnerabilities.  I then ran
"pkg_admin audit" again and got the following output:

Package ffmpeg2-2.0.2nb1 has a denial-of-service vulnerability, see 
http://secunia.com/advisories/54389/
Package ffmpeg2-2.0.2nb1 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/54857/
Package ffmpeg2-2.0.2nb1 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/54921/
Package ffmpeg2-2.0.2nb1 has a denial-of-service vulnerability, see 
http://secunia.com/advisories/54972/
Package ffmpeg2-2.0.2nb1 has a denial-of-service vulnerability, see 
http://secunia.com/advisories/54967/
Package ffmpeg2-2.0.2nb1 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/55122/
Package ffmpeg2-2.0.2nb1 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/55293/
Package ffmpeg2-2.0.2nb1 has a denial-of-service vulnerability, see 
http://secunia.com/advisories/55234/
Package ffmpeg2-2.0.2nb1 has a denial-of-service vulnerability, see 
http://secunia.com/advisories/55460/
Package libarchive-2.8.4nb2 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/47049/
Package python33-3.3.2nb2 has a ssl-certificate-spoofing vulnerability, see 
http://secunia.com/advisories/54393/

So, the latest packages from the current-branch still have
vulnerabilities:

* multimedia/ffmpeg2: It looks like the latest FFmpeg stable 2.0 release
  is 2.0.2, which is what pkgsrc builds.  So, it would seem there's
  nothing to be done in pkgsrc until the FFmpeg project makes a new
  release.

* archivers/libarchive: The latest legacy version of libarchive appears
  to be 2.8.5.  Could this be upgraded in the pkgsrc current-branch?

* lang/python33: Python 3.3.2 appears to be the latest release from the
  Python project, so there's nothing to be done in pkgsrc until 3.3.3 is
  released (assuming it includes a fix for the vulnerability).

As a user, I just want to ensure all installed packages are free from
known security vulnerabilities. "pkg_admin audit" tells me when I don't
have this, but I don't know of good steps for what to do next.  I
update the pkgsrc current-branch tree, check to see if that gives me
updates to any of the packages reported to contain vulnerabilities,
and do an update for each package for which an update exists.  But for
those that don't have an update, I have to check upstream.  If there
is a new upstream, I email this mailing list asking for an update (or
I update it and submit a patch).  For those that don't have a newer
upstream release, what do I do?  I guess I just decide whether the
vulnerability is acceptable.  If it is, I keep the package installed
until an update becomes available; if it's not, I delete the package
until an update becomes available.  But to do even this, I have to
update the current-branch each day (assuming I want to check each day),
check whether an update is available in pkgsrc, and if not, check
upstream.

Is this what most people are doing, or is there a better way?

Thanks,

Lewis


Home | Main Index | Thread Index | Old Index