# Unable to ackowledge problem reported by portaudit



## pbd (Mar 11, 2009)

Hello again,

I am unable to acknowledge problem reported by portaudit. It reports the problem although I set his id in portaudit_fixed in portaudit.conf:



> [font="Courier New"]# portaudit -d
> Database created: Tue Mar 10 02:40:03 CET 2009
> # portaudit -av
> Affected package: perl-5.8.8_1 (matched by perl>=5.8.0<5.8.9)
> ...



Any ideas? Thanks.


----------



## FBSDin20Steps (Mar 11, 2009)

Deinstall perl and update your ports. Install perl...


----------



## pbd (Mar 11, 2009)

Yes, I keep my ports up to date, but let's say I decide, that a particular vulnerability is not important for me, because it can be exploited only by local users and they are all trusted. In addition, the reported vulnerability is in port, that provides some service critical for the machine. In this case, it is IMHO better not to upgrade than risk a possibility that something goes wrong during the upgrade. I am just trying to tell portaudit: "ignore this problem, I don't care about it".


----------



## DutchDaemon (Mar 11, 2009)

Deciding not to upgrade a port will become impossible sooner or later. Especially with a 'core port' like Perl, more and more other ports will start to require perl 5.8.9_*, so more upgrades of other ports will fail eventually. While I do understand the wish to keep something 'fixed', the only real way to do that is to fix the entire system, i.e.: don't upgrade any other port.


----------



## Mel_Flynn (Mar 13, 2009)

This is all fine and dandy that you guys want him to upgrade, however that's not his problem.
He specified that he does not want portaudit to report on a specific problem and stated reasons for it. Policies differ from administrator to administrator and one can in fact create a patch for this vulnerability as a temporary measure, till perl 5.8.9 has been tested thoroughly with the production environment on a test machine.

The problem is that portaudit doesn't work as pbd expects. The portaudit_fixed configuration value only applies to vulnerabilities in ports that are specific to FreeBSD versions, which are only 4 at present:
% grep '^FreeBSD' auditfile
FreeBSD<491101|http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html|multiple vulnerabilities in the cvs server code
FreeBSD>=500000<502114|http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html|multiple vulnerabilities in the cvs server code
FreeBSD>=502120<503000|http://www.FreeBSD.org/ports/portaudit/1b98165f-fdd9-11d8-81b0-000347a4fa7d.html|zlib DoS vulnerability
FreeBSD>=600000<600001|http://www.FreeBSD.org/ports/portaudit/1b98165f-fdd9-11d8-81b0-000347a4fa7d.html|zlib DoS vulnerability

One would have to wrap portaudit's output if one does not want to be bothered about it.
More importantly, this can hold upgrades of software not affected at all by this vulnerability, because it only uses perl as build dependency. The ports system however, does not use portaudit directly, but extracts and uses the auditfile by itself. The fix/workaround for that is to put DISABLE_VULNERABILITIES=yes in /usr/ports/lang/perl5.8/Makefile.local or if you use portsnap (which may delete the Makefile.local), add the following to /etc/make.conf:

```
.if !empty(.CURDIR:M/usr/ports/lang/perl5.8)
DISABLE_VULNERABILITIES=yes
.endif
```


----------

