Index: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml =================================================================== --- head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml +++ head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml @@ -114,16 +114,14 @@ also monitor it for issues requiring their intervention. - - If you have committer rights you can update the VuXML - database by yourself. So you will both help the Security - Officer Team and deliver the crucial information to the - community earlier. However, if you are not a committer, or - you believe you have found an exceptionally severe - vulnerability please do not hesitate to contact the Security - Officer Team directly as described on the - &os; - Security Information page. + Committers can update the VuXML + database themselves, assisting the Security Officer Team + and delivering crucial information to the community more + quickly. Those who are not committers or have discovered + an exceptionally severe vulnerability should not hesitate + to contact the Security Officer Team directly, as described + on the + &os; Security Information page. The VuXML database is an XML document. Its source file vuln.xml is kept right @@ -412,38 +410,19 @@ Testing Changes to the VuXML Database This example describes a new entry for a - vulnerability in the package clamav that - has been fixed in version 0.65_7. + vulnerability in the package dropbear that + has been fixed in version dropbear-2013.59. As a prerequisite, - install fresh versions of the ports - ports-mgmt/portaudit, - ports-mgmt/portaudit-db, and - security/vuxml. - - - The user running packaudit must have - permission to write to its DATABASEDIR, - typically /var/db/portaudit. - - To use a different directory, set the - DATABASEDIR environment variable to a - different location. - - If working in a directory other than - ${PORTSDIR}/security/vuxml, set the - VUXMLDIR environment variable to the - directory where vuln.xml is - located. - + install a fresh version of + security/vuxml port. First, check whether there already is an entry for this vulnerability. If there were such an entry, it would match the previous version of the package, - 0.65_6: + 2013.58: - &prompt.user; packaudit -&prompt.user; portaudit clamav-0.65_6 + &prompt.user; pkg audit dropbear-2013.58 If there is none found, add a new entry for this vulnerability. @@ -461,21 +440,10 @@ textproc/jade. - Now rebuild the portaudit database from - the VuXML file: - - &prompt.user; packaudit - - To verify that the <affected> - section of the entry will match the correct package(s), issue this - command: + Verify that the <affected> + section of the entry will match the correct packages: - &prompt.user; portaudit -f /usr/ports/INDEX -r uuid - - - Please refer to &man.portaudit.1; for better - understanding of the command syntax. - + &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 Make sure that the entry produces no spurious matches in the output. @@ -483,22 +451,18 @@ Now check whether the right package versions are matched by the entry: - &prompt.user; portaudit clamav-0.65_6 clamav-0.65_7 -Affected package: clamav-0.65_6 (matched by clamav<0.65_7) -Type of problem: clamav remote denial-of-service. -Reference: <http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html> + &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201 +3.58 dropbear-2013.59 +dropbear-2012.58 is vulnerable: +dropbear -- exposure of sensitive information, DoS +CVE: CVE-2013-4434 +CVE: CVE-2013-4421 +WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html -1 problem(s) found. +1 problem(s) in the installed packages found. The former version matches while the latter one does not. - - Finally, verify whether the web page generated from the - VuXML database looks like expected: - - &prompt.user; mkdir -p ~/public_html/portaudit -&prompt.user; packaudit -&prompt.user; lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html