On Sun, 12 Dec 2010, Kevin Kreamer wrote:
Having not used FreeBSD for several years, I did a fresh install yesterday of 8.1-RELEASE, and then used pkg_add -r to install several packages. I then came across portaudit, ran it, and it indicated that I had three vulnerable packages (git, ruby, and sudo). Looking at http://www.vuxml.org/freebsd/, it appears that these were reported in July, August, and September respectively.
You got the packages as they were at the release of 8.1 (July 23, 2010).
Basically, I would think a freshly installed system would not have security vulnerabilities from months prior. Is that an erroneous assumption on my part, am I just misunderstanding something, or do I have something misconfigured?
It's done (I think) to provide a known-working set of packages. The same effect is seen when things are installed from ports without updating the ports tree first; it's a snapshot at that time.
You can adjust the PACKAGEROOT or PACKAGESITE variables. See pkg_add(1). Or switch to using ports, updating the ports tree before installing or updating applications.
_______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"