Index: en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
===================================================================
--- en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
+++ en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
@@ -412,38 +412,19 @@
Testing Changes to the VuXML Database
This example describes a new entry for a
- vulnerability in the package clamav that
- has been fixed in version 0.65_7.
+ vulnerability in the package dropbear that
+ has been fixed in version dropbear-2013.59.
As a prerequisite,
- install fresh versions of the ports
- ports-mgmt/portaudit,
- ports-mgmt/portaudit-db, and
- security/vuxml.
+ install a fresh version of
+ security/vuxml port.
-
- The user running packaudit must have
- permission to write to its DATABASEDIR,
- typically /var/db/portaudit.
-
- To use a different directory, set the
- DATABASEDIR environment variable to a
- different location.
-
- If working in a directory other than
- ${PORTSDIR}/security/vuxml, set the
- VUXMLDIR environment variable to the
- directory where vuln.xml is
- located.
-
-
First, check whether there already is an entry for this
vulnerability. If there were such an entry, it would match
the previous version of the package,
- 0.65_6:
+ 2013.58:
- &prompt.user; packaudit
-&prompt.user; portaudit clamav-0.65_6
+ &prompt.user; pkg audit dropbear-2013.58
If there is none found, add a
new entry for this vulnerability.
@@ -461,22 +442,11 @@
textproc/jade.
- Now rebuild the portaudit database from
- the VuXML file:
+ Verify that the <affected>
+ section of the entry will match the correct packages:
- &prompt.user; packaudit
+ &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58
- To verify that the <affected>
- section of the entry will match the correct package(s), issue this
- command:
-
- &prompt.user; portaudit -f /usr/ports/INDEX -r uuid
-
-
- Please refer to &man.portaudit.1; for better
- understanding of the command syntax.
-
-
Make sure that the entry produces no spurious matches in
the output.
@@ -483,22 +453,18 @@
Now check whether the right package versions are matched
by the entry:
- &prompt.user; portaudit clamav-0.65_6 clamav-0.65_7
-Affected package: clamav-0.65_6 (matched by clamav<0.65_7)
-Type of problem: clamav remote denial-of-service.
-Reference: <http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html>
+ &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201
+3.58 dropbear-2013.59
+dropbear-2012.58 is vulnerable:
+dropbear -- exposure of sensitive information, DoS
+CVE: CVE-2013-4434
+CVE: CVE-2013-4421
+WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
-1 problem(s) found.
+1 problem(s) in the installed packages found.
The former version matches while the latter one
does not.
-
- Finally, verify whether the web page generated from the
- VuXML database looks like expected:
-
- &prompt.user; mkdir -p ~/public_html/portaudit
-&prompt.user; packaudit
-&prompt.user; lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html