On Sun, 12 Dec 2010, Kevin Kreamer wrote:

Having not used FreeBSD for several years, I did a fresh install yesterday
of 8.1-RELEASE, and then used pkg_add -r to install several packages.  I
then came across portaudit, ran it, and it indicated that I had three
vulnerable packages (git, ruby, and sudo). Looking at
http://www.vuxml.org/freebsd/, it appears that these were reported in July,
August, and September respectively.

You got the packages as they were at the release of 8.1 (July 23, 2010).

Basically, I would think a freshly installed system would not have security
vulnerabilities from months prior.  Is that an erroneous assumption on my
part, am I just misunderstanding something, or do I have something
misconfigured?

It's done (I think) to provide a known-working set of packages. The same effect is seen when things are installed from ports without updating the ports tree first; it's a snapshot at that time.

You can adjust the PACKAGEROOT or PACKAGESITE variables. See pkg_add(1). Or switch to using ports, updating the ports tree before installing or updating applications.
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Reply via email to