Dealing with (multiple) pkgs with security vulnerabilities.

[Odhiambo Washington]

On 27 November 2016 at 12:11, Herbert J. Skuhra <herbert at mailbox.org> wrote:

> Odhiambo Washington wrote:
> >
> > Hi,
> > Part of my security run output contains a long list of packages with
> > vulnerabilities.
> > 'pkg audit -F' returns a listing of these pkgs with enough details, but
> >  pkg update && pkg upgrade returns nothing so I suppose there is a better
> > way to deal with these.
>
> Output of 'uname -a' is missing.
>

Yeah, I am sorry I didn't supply that. I forgot.


>
> - you are running a version that is EOL (e.g.: FreeBSD 8.x)
>

That is so true!! But I also have some servers running 9.3 and 10.3. Would
it be different dealing with this situation in 9.3|10.3 ??


>   => update base first and then try pkg update/upgrade again
> - you are running a platform (e.g. arm) for which packages are not
> built/updated
> - the url in your repository file (e.g. /etc/pkg/FreeBSD.conf) is wrong
>

  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",


> > I know I can manually do 'make -C /path/to/port/directory clean reinstall
> > clean', but that is so manual and tirng even just for 10 pkgs to be
> updated.
> >
> > What is the easiest way of doing a batch update for all the listed pkgs?
>
> - checkout/update /usr/ports with svn(lite) or portsnap
>

I use portsnap.


> - install ports-mgmt/portmaster
>

I use portupgrade.


> - run 'portmaster -a'
>

So, `portupgrade -1` ??

Okay. I always find that scary. I guess I have to upgrade these systems to
10.3, or maybe 11.



> You haven't updated for a long time (more than a year). So maybe it's
> better to remove all installed ports (pkg delete -a) and reinstall
> them one by one.
>

Sounds sensibe, but I usually just update the ports that I know as most
active - those for which the server was build.

Anyway, I get the point now.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."