# Where to report out-of-date ports with security advisories



## charles_belov (Jul 30, 2010)

If the port that is in the FreeBSD port collection is out-of-date and has a security advisory on it as being insecure, where do I report this?


----------



## DutchDaemon (Jul 30, 2010)

The maintainer and/or the freebsd-ports list and/or a PR (http://www.freebsd.org/send-pr.html).


----------



## charles_belov (Aug 2, 2010)

Thank you. As it involves a security issue, I e-mailed both the port maintainer and FreeBSD security (as noted in the instructions for filing a PR).


----------



## SirDice (Aug 2, 2010)

As a matter of interest, which port is it?


----------



## charles_belov (Aug 3, 2010)

Actually, they say not to post security issues on a public forum until it is resolved.  I would extend this to not telling whoever asks.

I'll post back when I've verified the issue has been fixed.


----------



## SirDice (Aug 3, 2010)

If the port's source is already patched but it's just the port skeleton that needs updating then it shouldn't be a problem. Most of us are probably quite capable to change the port's Makefile. I know I am 

It would also help to increase awareness of the bug, not only for the bad guys but for us good guys too. Everyone should be able to review the impact of said bug :e


----------



## lily (Aug 3, 2010)

BTW, if the vendor is lazy enough to not fix the vulnerability within a few weeks I think you can just go ahead: disclose details and mark the port FORBIDDEN.


----------



## charles_belov (Aug 4, 2010)

No, the vendor fixed and disclosed the vulnerability.  It was the port that had not yet been updated.  It is updated now.

Piwik 0.8


----------



## charles_belov (Aug 4, 2010)

Piwik.

And the port is fixed.


----------

