DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Installation and Upgrading

FreeBSD Installation and Upgrading Installing and upgrading FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd July 2008
robklg robklg is offline
New User
 
Join Date: Jul 2008
Posts: 3
Question cannot port upgrade php5-posix, complains about vulnerability

Hello. I have quite an annoying problem. This is on FreeBSD 6.3-RELEASE-p1.

Portaudit says my php5-posix-5.2.5 must be upgraded. After having done portsnap fetch update, and portsdb -F, and pkgdb, etc. To make sure everything is up to date... 'pkg_version -v | grep php5-posix' says:

Code:
php5-posix-5.2.5                    <   needs updating (port has 5.2.6)
So, I want to upgrade it to 5.2.6. However it won't let me upgrade my vulnerable package, and it says:

Code:
# portupgrade -b php5-posix-5.2.5
--->  Upgrading 'php5-posix-5.2.5' to 'php5-posix-5.2.6' (sysutils/php5-posix)
--->  Building '/usr/ports/sysutils/php5-posix'
===>  Cleaning for php5-posix-5.2.6
===>  php5-posix-5.2.6 has known vulnerabilities:
=> php -- input validation error in posix_access function.
   Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/sysutils/php5-posix.
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade.84387.0 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=php5-posix-5.2.5 UPGRADE_PORT_VER=5.2.5 make
** Fix the problem and try again.
** Listing the failed packages (*:skipped / !:failed)
	! sysutils/php5-posix (php5-posix-5.2.5)	(unknown build error)
--->  Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed
Why does it say I need to upgrade my ports tree? I have done a portsnap update and portsdb update, I would think that is sufficient.

I cannot even upgrade it when i use portupgrade --force.
Reply With Quote
  #2   (View Single Post)  
Old 2nd July 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Strange vulnerability report.
Quote:
It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon.
Hmm. Here's the thing: I don't know the php5-posix port's relationship to php5 itself, so it may be that you actually need to update and rebuild php5. But I am only speculating.

If you'd like to disable the security check temporarily (and do so at your own risk!), set the DISABLE_VULNERABILITIES variable in your environment. For more info, see the ports(7) manpages.
__________________
Kill your t.v.

Last edited by anomie; 2nd July 2008 at 05:44 PM. Reason: grammar.
Reply With Quote
  #3   (View Single Post)  
Old 4th July 2008
robklg robklg is offline
New User
 
Join Date: Jul 2008
Posts: 3
Default

Thank you very much for your response.

I have managed to upgrade now from php5-posix-5.2.5 to php5-posix-5.2.6.

I think the behaviour is very strange. First of, portaudit reports that I need to upgrade php5-posix-5.2.5 because of a vulnerability. But then, portupgrade does not allow me to upgrade to that version, because it *also* has a security vulnerability. Doesn't make sense.

So I used the DISABLE_VULNERABILITIES variable, and the upgrade worked.

But now portaudit says I need to upgrade the php5-posix-5.2.6 because of a vulnerability. However, I cannot upgrade it, because there is no later version of this package.

I begin to wonder why. Let me ask a question... in order to update my ports tree, this is the right method right?:

Code:
# portsdb -F -u
# portsnap fetch update
However:

Code:
root@hobbes:~# portsnap fetch update
Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found.
Fetching snapshot tag from portsnap1.FreeBSD.org... done.
Latest snapshot on server matches what we already have.
No updates needed.
Ports tree is already up to date.
root@hobbes:~#
And:

Code:
# portaudit
Affected package: php5-posix-5.2.6
Type of problem: php -- input validation error in posix_access function.
Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
Code:
# pkg_version -v | grep php5-posix
php5-posix-5.2.6                    =   up-to-date with port
There is no information about php5-posix upgrading in /usr/ports/UPDATING.

What am I doing wrong?
Reply With Quote
  #4   (View Single Post)  
Old 4th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Default

There is nothing wrong with your side, php5-posix-5 have that vulnerability by desing in all its version >5.
Reply With Quote
  #5   (View Single Post)  
Old 7th July 2008
robklg robklg is offline
New User
 
Join Date: Jul 2008
Posts: 3
Default

richardpl, thanks

I guess i'll just have to wait.. not sure why we need this package anyway ;-), but i didn't set it up in the first place..
Reply With Quote
  #6   (View Single Post)  
Old 15th July 2008
fallen fallen is offline
New User
 
Join Date: Jul 2008
Posts: 3
Default

I've compiled via port php5-extensions which are depending on this posix extension.

I don't need it so recompiled the port of php5-extensions w/o it.

Good luck.
Reply With Quote
Reply

Tags
php, php5-posix, portupgrade, vulnerability

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Vulnerability OldCoot OpenBSD Security 5 20th March 2009 07:44 PM
Upgrade PHP4 to PHP5 beandip FreeBSD Ports and Packages 0 11th August 2008 02:35 PM
Problem with upgrading php5-pcre and php5-mysql KernelPanic FreeBSD Ports and Packages 6 16th June 2008 10:00 PM
Swfdec read-only file access vulnerability corey_james FreeBSD Ports and Packages 0 14th May 2008 11:31 PM
WARNING: Vulnerability database out of date, checking anyway mfaridi FreeBSD Security 9 8th May 2008 06:13 AM


All times are GMT. The time now is 02:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick