On 10/10/04 15:43, Dick Davies wrote: > I've recently returned to FreeBSD from a tour around various other free > OSes - last time I used it seriously was around 4.7, I think, and 5.3 seems > to be light years ahead functionality wise. So first off, congratulations. Glad to have you back ;-). > But I'm a little alarmed by the pre 5.3 release ports freeze - portaudit has > flagged an awful lot of packages as having holes and refused to install them. > > Off the top of my head : mozilla, cups (and therefore most of kde) and > firefox/bird. Shouldn't serious bugs (like the JPEG vuln > in firefox for example) to override the freeze? The Mozilla/Firefox ports have been updated with patches to resolve the security issues. See the latest commits for more info: http://www.freshports.org/www/mozilla http://www.freshports.org/www/firefox It seems the real issue for Mozilla/Firefox is that the VuXML document was not updated to reflect the patches being applied to the older versions (see http://www.vuxml.org/freebsd/index.html). Usually the versioning for the VuXML document is done with the assumption that issues will be resolved by updating to the latest version available from the vendor. Under a ports freeze this assumption is not correct. I've CC'ed nectar_at_ for this reason. Once this document is updated then portaudit will no longer flag them. The CUPS port still has not been updated to resolve its "print queue browser denial-of-service" issue. However, there is a PR from the maintainer to update to the latest, "safe" version: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/71811 > I just wondered if there is a policy to not upgrade ports under any > circumstances, or if this is just an oversight? I can imagine this would make > me very twitchy if I was running production boxes during a freeze.... > or have I missed something, and this doesn't affect 4.* users? Updates for security issues generally happen very promptly during ports freezes. I think these cases are just oversight, either in the reporting of updates (Mozilla/Firefox) or the actual updating itself (CUPS). JonReceived on Sun Oct 10 2004 - 19:20:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:16 UTC