Freebsd 5.4 vuln packages!

[jackie46]

I ran portaudit against my installed packages and detected security issue with many packages installed.

portaudit -Fda
auditfile.tbz 100% of 34 kB 177 kBps
New database installed.
Database created: Mon May 1 04:10:13 MYT 2006
Affected package: gnupg-1.4.0_1
Type of problem: GnuPG does not detect injection of unsigned data.
Reference: <http://www.FreeBSD.org/ports/portaudit/948921ad-afbc-11da-bad9-02e081235dab.html>

Affected package: gtar-1.15.1_1
Type of problem: gtar -- invalid headers buffer overflow.
Reference: <http://www.FreeBSD.org/ports/portaudit/6107efb9-aae3-11da-aea1-000854d03344.html>

Affected package: gnupg-1.4.0_1
Type of problem: gnupg -- false positive signature verification.
Reference: <http://www.FreeBSD.org/ports/portaudit/63fe4189-9f97-11da-ac32-0001020eed82.html>

Affected package: perl-5.8.6_2
Type of problem: perl, webmin, usermin -- perl format string integer wrap vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/bb33981a-7ac6-11da-bf72-00123f589060.html>

Affected package: ghostscript-gnu-7.07_12
Type of problem: ghostscript -- insecure temporary file creation vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/27a70a01-5f6c-11da-8d54-000cf18bbe54.html>

Affected package: lynx-2.8.5
Type of problem: lynx -- remote buffer overflow.
Reference: <http://www.FreeBSD.org/ports/portaudit/c01170bf-4990-11da-a1b8-000854d03344.html>

Affected package: unzip-5.52_1
Type of problem: unzip -- permission race vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/9750cf22-216d-11da-bc01-000e0c2e438a.html>

Affected package: gnupg-1.4.0_1
Type of problem: gnupg -- OpenPGP symmetric encryption vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/8375a73f-01bf-11da-bc08-0001020eed82.html>

Affected package: tiff-3.7.1_2
Type of problem: tiff -- buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/68222076-010b-11da-bc08-0001020eed82.html>

Affected package: mysql-server-4.1.10a
Type of problem: mysql-server -- insecure temporary file creation.
Reference: <http://www.FreeBSD.org/ports/portaudit/eeae6cce-d05c-11d9-9aed-000e0c2e438a.html>

Affected package: ImageMagick-6.2.0.5
Type of problem: ImageMagick -- ReadPNMImage() heap overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/cd286cc5-b762-11d9-bfb7-000c6ec775d9.html>

Affected package: wget-1.8.2_7
Type of problem: wget -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-a9e7-0001020eed82.html>

12 problem(s) in your installed packages found.

Which of these modules can be upgraded manually without breaking Cpanel? What the recommended upgrade path? Cpanel is obviously not upgrading these but there are lots of vuln packages here that need updating.

 

[astridas]

You can upgrade all of those packages relatively easily using portupgrade. If you don't have portupgrade installed you can do so by:

cd /usr/ports/sysutils/portupgrade
make install clean

If you don't have experience upgrading Perl I would recommend using the Perl installer found on cpanel.net. MySQL could be tricky but there are plenty of guides around for that as well.

 

[jackie46]

Im sure i can use portupgrade but my question is why doesnt cpanel keep these updated? Doesnt it look though the ports during UPCP and isnt it supposed to upgrade them automatically or maybe im missing something. What is the purpose of upcp if it cannot keep my software up-to-date? I think i asked this question before and that was, do we need to keep our own modules updated or will cpanel do it for us. Some people said leave it alone and cpanel will update whats needed but now im starting to think they didnt have the foggiest idea as you can see above all these are vuln and outdated.

 

[astridas]

I'm sorry I misunderstood you before. I have never trusted cpanel to upgrade my packages. The upcp program is okay when you are upgrading cpanel, but as for everything else I upgrade myself. I went so far as to disable the upcp cron as it would overwrite my ports tree every night and not upgrade anything relevant.

 

[jackie46]

Interesting, so what modifcations do we need to make to ensure that these ports are up-to-date? Do you have any pointers?

 

[astridas]

I use portsnap to manage the ports tree and portupgrade to upgrade all the ports. Portsnap is great because it is secure and designed for small updates unlike cvsup. You can set up a cron to upgrade your ports tree with portsnap. The only minor problem is that cpanel will hose your portsnap created tree. Unless you are using automatic updates with cpanel, which I wouldn't recommend anyway, You would need to disable your upcp cron entry. After that it would be easy enough to run a 'portversion | grep \<' to see which ports need to be upgraded and then 'portupgrade <list of ports>' or 'portupgrade -a' if you want to upgrade all of your ports.

Quick Command Example Set

# portsnap fetch
# portsnap extract (first time only - or if cpanel overwrites ports tree)
# portsnap update
# portversion | grep \<
# portupgrade example-port example-port2

 

[jackie46]

Im not sure i understand hehe but thank you.

 

[yonez]

Hi,

What are we saying here, it is OK to update ports package using portupgrade under freebsd. Can cpanel staff gurantee that it wont break cpanel application? Why can they follow port collection style. A lot easier to maintain. It just my personal opinion.

regards,
yonez