On Oct 10, 2004, at 4:20 PM, Jon Noack wrote: > On 10/10/04 15:43, Dick Davies wrote: >> But I'm a little alarmed by the pre 5.3 release ports freeze - >> portaudit has >> flagged an awful lot of packages as having holes and refused to >> install them. >> Off the top of my head : mozilla, cups (and therefore most of kde) and >> firefox/bird. Shouldn't serious bugs (like the JPEG vuln >> in firefox for example) to override the freeze? > > The Mozilla/Firefox ports have been updated with patches to resolve > the security issues. See the latest commits for more info: > http://www.freshports.org/www/mozilla > http://www.freshports.org/www/firefox > > It seems the real issue for Mozilla/Firefox is that the VuXML document > was not updated to reflect the patches being applied to the older > versions (see http://www.vuxml.org/freebsd/index.html). Usually the > versioning for the VuXML document is done with the assumption that > issues will be resolved by updating to the latest version available > from the vendor. Under a ports freeze this assumption is not correct. > I've CC'ed nectar_at_ for this reason. Once this document is updated > then portaudit will no longer flag them. I'm afraid your assumption is not correct, Jon. Some of the Mozilla etc vulnerabilities described in the VuXML document have been fixed by back-porting the fixes, but not all of them. The contents of the VuXML document are correct in this case, AFAIK. I supplied the fixes for the most critical issues, and those were applied by Joe. I'm afraid I did not/do not have time to back port and test the scripting fixes as well. It was my recommendation that the ports be upgraded to the latest release before 5.3, but Joe reports that the latest release of Mozilla etc causes build problems in other dependent ports. (This is why I went through the trouble of back-porting the most critical fixes.) Cheers, -- Jacques A Vidrine / NTT/Verio nectar_at_celabo.org / jvidrine_at_verio.net / nectar_at_freebsd.orgReceived on Mon Oct 11 2004 - 14:27:16 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:16 UTC