Clarrification on whether portsnap was affected by the 2012 compromise
richard bader
richard at bader-muenchen.de
Tue Nov 20 13:50:17 UTC 2012
Am 20.11.2012 13:47, schrieb John Bayly:
> On 20/11/12 12:15, Gary Palmer wrote:
>> On Tue, Nov 20, 2012 at 10:49:13AM +0000, John Bayly wrote:
>>> Regarding the 2012 compromise, I'm a little confused as to what was and
>>> wasn't affected:
>>>
>>> >From the release:
>>>> or of any ports compiled from trees obtained via any means other than
>>>> through svn.freebsd.org or one of its mirrors
>>> Does that mean that any ports updated using the standard "portsnap
>>> fetch" may have been affected, I'm guessing yes.
>>>
>> " We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted."
> I suppose that implies that the previous portsnap snapshots couldn't be
> [completely] trusted. Basically I wanted to know whether I had to go
> through all the ports I've updated from the snapshots within the given
> time frame and to a portupgrade --force on them. In the end I decided
> yes (luckily it's only on a single box)-unsubscribe at freebsd.org"
So what ist the way to get a 'secure' portscollection?
first update with 'portsnap -f /etc/portsnap.conf fetch update '
and then 'portupgrade -caDf'
--
Dipl.Ing.Bader Richard GmbH, Helferichstrasse 32, 80999 Muenchen
Tel.: +49 89 892205 31
Fax.: +49 89 892205 33
http://www.bader-muenchen.de
More information about the freebsd-security
mailing list