erroneous charlie root warnings

A

apolinsky

Fairly recently I converted from the old package repository to the new one. I used pkg2ng to convert the old entries. Since that time I have been getting messages from 'Charlie Root' on a nightly basis warning me to upgrade two packages with security problems, referencing Thunderbird and PostgreSQL, even though I have already upgraded to the corrected versions. I am assuming, though I might be wrong, that I may have missed some step in the conversion. I am running FreeBSD 8.4. I did run the pkg clean and pkg autoremove after the conversion. Can some suggest what I missed?

Thank you.

Alan
 
My first thought is to check if something like ports-mgmt/portaudit or ports-mgmt/jailaudit is installed. Last I checked, they looked at directories under /var/db/pkg while pkg just uses the /var/db/pkg/local.sqlite database. The extra directories can be archived or removed after upgrading to pkg.

If you don't have either of those packages installed, are you absolutely sure you are using good versions? Both software packages you mentioned have vulnerabilities from the past month. The "charlie root" warnings you mentioned are just what gets fired off by the periodic scripts that run security checks daily, specifically /usr/local/etc/periodic/security/410.pkg-audit which calls pkg audit. So if the command pkg audit says they are vulnerable, then pkg thinks they are based off it's database.
 
Thank you very much. I was aware that pkg just uses the local.sqlite database. When I converted to pkg after all the steps, I did not remove anything from the /var/db/pkg directory. My Thunderbird and PostgreSQL server have been upgraded. I'll remove the extraneous files tonight.

Alan
 
portmaster(8) keeps some distfile information in the port directories in /var/db/pkg, but it probably does no harm to remove them. I've just been removing all the data files that start with a + in the subdirectories.
 
You must log in or register to reply here.
Back
Top