Fixing Vulnerabilities

markbsd · Nov 18, 2013

Please see the results of my pkg audit -F:

Code:

# [CMD]pkg audit -F[/CMD]
auditfile.tbz                          100%   91KB  90.7KB/s  80.7KB/s   00:01    
gnupg-2.0.20_1 is vulnerable:
gnupg -- possible infinite recursion in the compressed packet parser

WWW: [url]http://portaudit.FreeBSD.org/749b5587-2da1-11e3-b1a9-b499baab0cbe.html[/url]

gstreamer-ffmpeg-0.10.13 is vulnerable:
gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav

WWW: [url]http://portaudit.FreeBSD.org/4d087b35-0990-11e3-a9f4-bcaec565249c.html[/url]

libgcrypt-1.5.2 is vulnerable:
GnuPG and Libgcrypt -- side-channel attack vulnerability

WWW: [url]http://portaudit.FreeBSD.org/689c2bf7-0701-11e3-9a25-002590860428.html[/url]

py27-pycrypto-2.6_1 is vulnerable:
pycrypto -- PRNG reseed race condition

WWW: [url]http://portaudit.FreeBSD.org/c0f122e2-3897-11e3-a084-3c970e169bc2.html[/url]

4 problem(s) in your installed packages found.
#

How do I go about securing these vulnerabilities? Thanks.

wblock@ · Nov 18, 2013

Update your ports and build the new versions.

markbsd · Nov 18, 2013

Thanks @wblock@. I'm trying to figure out how to do this now. Could you please just give me the command(s) to do this? I've been reading:

Among a few other pages and am not sure what exactly to do!

I also keep getting this error:

Code:

gtk2-2.24.19_2.txz                     100% 6432KB 428.8KB/s 661.7KB/s   00:15    
firefox-25.0_1,1.txz                   100%   24MB 654.5KB/s   1.1MB/s   00:37    
Checking integrity...pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/a2p with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/c2ph with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/config_data with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/corelist with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpan with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpan2dist with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpanp with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpanp-run-perl with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/enc2xs with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/find2perl with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/h2ph with:
	- perl5-5.16.3_2

<snip>

When I try to pkg install firefox or xombrero!

By the way, I don't want to upgrade by building ports. I want to perform the upgrade by installing the binary packages. If you can please provide me with the commands I need to input I will be very grateful. Thank you.

markbsd · Nov 18, 2013

For an example of some of the things I've been trying and the problems I have encountered:

Code:

# [CMD]pkg info perl[/CMD]
perl-5.14.4
# [CMD]portupgrade -iRP perl[/CMD]
Packages are not yet suported. Use pkg(8) directly.
# [CMD]pkg upgrade -iRP perl[/CMD]
pkg: illegal option -- i
usage: pkg upgrade [-fInFqUy] [-r reponame]
# [CMD]pkg upgrade perl[/CMD]
usage: pkg upgrade [-fInFqUy] [-r reponame]

As you can see, I don't know what I'm doing!

markbsd · Nov 18, 2013

The strange thing is, this is a brand new install on a virtual machine and all the packages have been installed in the last 48 hours. How is it they need upgrading?

wblock@ · Nov 18, 2013

I have not used pkg enough to be very familiar with it yet. However, it is certain that pkg does not take the same options as portupgrade. I recommend not using portupgrade anyway. ports-mgmt/portmaster is preferred, and should be able to upgrade with binary packages with the -P and -PP options.

/usr/ports/UPDATING often shows exactly the commands needed to update, in three different versions depending on what is being used. There is one for Perl.

The "locally installed" messages are probably because the old package tools (pkg_*, note the underscore) were mixed with new pkg tools. That's probably fixable by forcing a deinstall of the old one, or forcing an install of the new one.

wblock@ · Nov 18, 2013

markbsd said:
The strange thing is, this is a brand new install on a virtual machine and all the packages have been installed in the last 48 hours. How is it they need upgrading?

If I may use a sandwich analogy: packages are pre-made, frozen, and shipped to stores where they are thawed and served to customers. They may be only a day old, or maybe a week. Packages that come with install media were built on or before the release date, and are already a little old. Or maybe a lot.

Ports, on the other hand, are made fresh, to-order (linked with the libraries already on the machine, with correctly-optimized instructions), using ingredients that have just been delivered (with portsnap or svn).

markbsd · Nov 18, 2013

Code:

# [CMD]pkg version -vIL=[/CMD]
apache22-2.2.25                    <   needs updating (index has 2.2.25_1)
aspell-0.60.6.1_2                  <   needs updating (index has 0.60.6.1_3)
ca_root_nss-3.15.1                 <   needs updating (index has 3.15.2_1)
cairo-1.10.2_5,2                   <   needs updating (index has 1.10.2_6,2)
cantarell-fonts-0.0.13             <   needs updating (index has 0.0.15)
curl-7.31.0_1                      <   needs updating (index has 7.33.0_1)
cyrus-sasl-2.1.26_2                <   needs updating (index has 2.1.26_3)
dejavu-2.33                        <   needs updating (index has 2.34)
desktop-file-utils-0.21            <   needs updating (index has 0.22_1)
dmidecode-2.11                     <   needs updating (index has 2.12)
enchant-1.6.0_1                    <   needs updating (index has 1.6.0_2)
esound-0.2.41_1                    <   needs updating (index has 0.2.41_2)
evolution-data-server-2.32.1_4     <   needs updating (index has 2.32.1_5)
ffmpeg-0.7.15,1                    <   needs updating (index has 2.1,1)
fontconfig-2.10.93,1               <   needs updating (index has 2.10.95,1)
freetype2-2.4.12_1                 <   needs updating (index has 2.5.0.1)
gettext-0.18.3                     <   needs updating (index has 0.18.3.1)
gmp-5.1.2                          <   needs updating (index has 5.1.3)
gnome-icon-theme-2.31.0_3          <   needs updating (index has 3.6.2)
gnome2-2.32.1_4                    <   needs updating (index has 2.32.1_5)
gnupg-2.0.20_1                     <   needs updating (index has 2.0.22)
gnutls-2.12.23_1                   <   needs updating (index has 2.12.23_2)
gobject-introspection-1.36.0_1     <   needs updating (index has 1.36.0_2)
gpac-libgpac-0.4.5_6,1             <   needs updating (index has 0.5.0,1)
gpgme-1.3.2                        <   needs updating (index has 1.4.3)
gstreamer-ffmpeg-0.10.13           <   needs updating (index has 0.10.13_1)
gtar-1.26                          <   needs updating (index has 1.27)
gtk-2.24.19_1                      <   needs updating (index has 2.24.19_2)
gtkglext-1.2.0_11                  <   needs updating (index has 1.2.0_12)
gtkmm-2.24.2_1                     <   needs updating (index has 2.24.4)
hal-0.5.14_20                      <   needs updating (index has 0.5.14_22)
iso-codes-3.43                     <   needs updating (index has 3.46)
libSM-1.2.1,1                      <   needs updating (index has 1.2.2,1)
libX11-1.6.0,1                     <   needs updating (index has 1.6.2,1)
libXaw-1.0.11,2                    <   needs updating (index has 1.0.12,2)
libXfont-1.4.5,1                   <   needs updating (index has 1.4.6,1)
libXmu-1.1.1,1                     <   needs updating (index has 1.1.2,1)
libXpm-3.5.10                      <   needs updating (index has 3.5.11)
libXrandr-1.4.1                    <   needs updating (index has 1.4.2)
libXv-1.0.9,1                      <   needs updating (index has 1.0.10,1)
libassuan-2.0.3                    <   needs updating (index has 2.1.1)
libaudiofile-0.2.7                 <   needs updating (index has 0.3.6)
libdiscid-0.2.2_1                  <   needs updating (index has 0.6.1)
libgcrypt-1.5.2                    <   needs updating (index has 1.5.3)
libgnome-keyring-2.32.0_5          <   needs updating (index has 2.32.0_6)
libgphoto2-2.4.14_3                <   needs updating (index has 2.4.14_4)
libgsf-1.14.27                     <   needs updating (index has 1.14.28)
libidn-1.27                        <   needs updating (index has 1.28_1)
libltdl-2.4.2                      <   needs updating (index has 2.4.2_2)
libmpeg2-0.5.1_1                   <   needs updating (index has 0.5.1_3)
libmusicbrainz-3.0.3_2             <   needs updating (index has 3.0.3_3)
libpciaccess-0.13.1_3              <   needs updating (index has 0.13.2)
libpthread-stubs-0.3_3             <   needs updating (index has 0.3_4)
libtasn1-2.14                      <   needs updating (index has 3.3)
libvpx-1.1.0                       <   needs updating (index has 1.2.0)
lsof-4.88.d,8                      <   needs updating (index has 4.88.e_1,8)
nspr-4.10                          <   needs updating (index has 4.10.1)
nss-3.15.1                         <   needs updating (index has 3.15.2)
opencv-core-2.3.1_7                <   needs updating (index has 2.3.1_9)
openldap-client-2.4.35             <   needs updating (index has 2.4.37)
orc-0.4.17                         <   needs updating (index has 0.4.18)
p11-kit-0.16.3                     <   needs updating (index has 0.20.1)
p5-IO-Socket-IP-0.22               <   needs updating (index has 0.24)
p5-IO-Socket-SSL-1.953             <   needs updating (index has 1.960)
p5-Socket-2.011                    <   needs updating (index has 2.013)
p5-Time-HiRes-1.9725,1             <   needs updating (index has 1.9726,1)
p5-XML-LibXML-2.0018,1             <   needs updating (index has 2.0106_1,1)
p5-XML-SAX-0.99                    <   needs updating (index has 0.99_1)
pciids-20130718                    <   needs updating (index has 20131110)
perl-5.14.4                        <   needs updating (index has 5.14.4_2)
pixman-0.30.0                      <   needs updating (index has 0.30.2)
pkg-1.1.4_8                        <   needs updating (index has 1.1.4_9)
pkgconf-0.9.2_1                    <   needs updating (index has 0.9.3)
portupgrade-2.4.11,2               <   needs updating (index has 2.4.11.2_1,2)
py27-cairo-1.8.10_1                <   needs updating (index has 1.10.0_1)
py27-gtk-2.24.0_1                  <   needs updating (index has 2.24.0_2)
py27-pycrypto-2.6_1                <   needs updating (index has 2.6.1)
python27-2.7.5_1                   <   needs updating (index has 2.7.5_4)
samba36-libsmbclient-3.6.17        <   needs updating (index has 3.6.20)
seahorse-2.32.0_9                  <   needs updating (index has 2.32.0_10)
speex-1.2.r1_4,1                   <   needs updating (index has 1.2.r1_5,1)
sqlite3-3.7.17_1                   <   needs updating (index has 3.8.0.2)
taglib-1.8                         <   needs updating (index has 1.9.1)
twm-1.0.7                          <   needs updating (index has 1.0.8)
upower-0.9.7_1                     <   needs updating (index has 0.9.7_2)
virtualbox-ose-additions-4.2.16    <   needs updating (index has 4.2.18)
webcamd-3.10.0.7                   <   needs updating (index has 3.11.0.2)
x264-0.125.2201                    <   needs updating (index has 0.136.2358_1)
xauth-1.0.7                        <   needs updating (index has 1.0.8)
xbacklight-1.2.0                   <   needs updating (index has 1.2.1)
xclock-1.0.6_1                     <   needs updating (index has 1.0.7_1)
xf86-video-intel-2.7.1_4           <   needs updating (index has 2.7.1_5)
xf86-video-r128-6.8.4_3            <   needs updating (index has 6.9.2)
xf86-video-vesa-2.3.2              <   needs updating (index has 2.3.3)
xinit-1.3.2,1                      <   needs updating (index has 1.3.3,1)
xinput-1.6.0                       <   needs updating (index has 1.6.1)
xkeyboard-config-2.9               <   needs updating (index has 2.9_1)
xkill-1.0.3                        <   needs updating (index has 1.0.4)
xlsclients-1.1.2                   <   needs updating (index has 1.1.3)
xmodmap-1.0.7                      <   needs updating (index has 1.0.8)
xorg-server-1.7.7_8,1              <   needs updating (index has 1.7.7_11,1)
xprop-1.2.1                        <   needs updating (index has 1.2.2)
xrdb-1.0.9                         <   needs updating (index has 1.1.0)
xset-1.2.2_1                       <   needs updating (index has 1.2.3_1)
xterm-296                          <   needs updating (index has 297)
xwd-1.0.5                          <   needs updating (index has 1.0.6)
#

I know you prefer portmaster: is portmaster -DaP the right command to update the above packages using packages, not ports?

wblock@ · Nov 18, 2013

It will try, but if the right package is not available, it will build from ports.

markbsd · Nov 18, 2013

wblock@ said:
I have not used pkg enough to be very familiar with it yet. However, it is certain that pkg does not take the same options as portupgrade. I recommend not using portupgrade anyway. ports-mgmt/portmaster is preferred, and should be able to upgrade with binary packages with the -P and -PP options.

Thanks. See above post I just made. I just installed portmaster, so I can now use that if I knew the right command(s)?

/usr/ports/UPDATING often shows exactly the commands needed to update, in three different versions depending on what is being used. There is one for Perl.

The "locally installed" messages are probably because the old package tools (pkg_*, note the underscore) were mixed with new pkg tools. That's probably fixable by forcing a deinstall of the old one, or forcing an install of the new one.

After my dramas with GNOME. I did this:

Deleted virtual image.
Created new image.
Installed fresh FreeBSD 9.2
Ran: freebsd-update fetch, freebsd-update install, portsnap fetch, portsnap extract, portsnap update
Installed GNOME2 with pkg_add -r gnome2
Ran /usr/sbin/pkg
Ran pkg2ng (according to Handbook, this converts all previously installed pkg_add packages to the new pkg database)
Tried to pkg install xombrero, but I got the perl error, so ran make install clean from www/xombrero
Am now trying to update my packages and install firefox via pkg install.

So, my machine should be up-to-date and the only package I installed using pkg_add was GNOME2, but I then ran the correct command to convert the database. Right?

wblock@ said:
If I may use a sandwich analogy: packages are pre-made, frozen, and shipped to stores where they are thawed and served to customers. They may be only a day old, or maybe a week. Packages that come with install media were built on or before the release date, and are already a little old. Or maybe a lot.

Ports, on the other hand, are made fresh, to-order (linked with the libraries already on the machine, with correctly-optimized instructions), using ingredients that have just been delivered (with portsnap or svn).

Ports simply take far too long to build for me. I don't have the luxury of waiting for one port to build when I could literally install a dozen or more packages in that same time.

markbsd · Nov 18, 2013

wblock@ said:
It will try, but if the right package is not available, it will build from ports.

Oh no! Look:

Code:

# [CMD]portmaster -DaP[/CMD]
===>>> Package installation support cannot be used with pkgng yet,
       it will be disabled

===>>> Starting check of installed ports for available updates
===>>> Launching child to update pkg-1.1.4_8 to pkg-1.1.4_9

===>>> All >> pkg-1.1.4_8 (1/1)

===>>> Currently installed version: pkg-1.1.4_8
===>>> Port directory: /usr/ports/ports-mgmt/pkg

===>>> Launching 'make checksum' for ports-mgmt/pkg in background
===>>> Gathering dependency list for ports-mgmt/pkg from ports
===>>> No dependencies for ports-mgmt/pkg

===>>> Returning to update check of installed ports

^C
===>>> Exiting due to signal
===>>> Killing background jobs
Terminated
Terminated
Terminated
===>>> Exiting
#

Does this mean what I think it means? I simply cannot upgrade packages, I have to use ports? Surely there must be some way to upgrade with packages? Or do I have to again delete this image, make a new one, install FreeBSD again and stick with pkg_add? This is killing me!

wblock@ · Nov 18, 2013

The first thing it's trying to do is update pkg. That may improve the situation. Don't be afraid of ports, most do not take long to build.

Don't go back to pkg_install, that's a dead end.

kpa · Nov 18, 2013

There is of course a way to update with packages but that requires new packages that are built and updated at the package repositories. They are now being built but only once a week:

http://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html

You are in luck, it wasn't too long ago when there was no packages available (or some very old packages at best) for any version of FreeBSD because of the fallout from the security incident of nov 2012 that forced all FreeBSD.org package building systems offline for security review. That combined with that fact that at the same time there was a major restructuring planned for the FreeBSD.org servers resulted in no packages at all for almost a year.

http://www.freebsd.org/news/2012-compromise.html

kpa · Nov 18, 2013

markbsd said:
After my dramas with GNOME. I did this:

Installed GNOME2 with pkg_add -r gnome2

Ran /usr/sbin/pkg

Ran pkg2ng (according to Handbook, this converts all previously installed pkg_add packages to the new pkg database)

These steps resulted in awful lot of extra and unnecessary and error-prone work. If you're going to use the new pkg(8) packages anyway then why install anything with pkg_add(1)?

This is what I would have done instead:

/usr/sbin/pkg
echo 'WITH_PKGNG="YES"' >>/etc/make.conf
pkg -v and verify it matches the version of ports-mgmt/pkg, important!!!
pkg update
pkg install portmaster
pkg install gnome2 If this fails, try the next step
portmaster x11/gnome2

markbsd · Nov 18, 2013

kpa said:
These steps resulted in awful lot of extra and unnecessary and error-prone work. If you're going to use the new pkg(8) packages anyway then why install anything with pkg_add(1)?

This is what I would have done instead:

/usr/sbin/pkg

echo 'WITH_PKGNG="YES"' >>/etc/make.conf

pkg -v and verify it matches the version of ports-mgmt/pkg, important!!!

pkg update

pkg install portmaster

pkg install gnome2 If this fails, try the next step

portmaster x11/gnome2

@kpa, don't you remember the thread from yesterday? I couldn't pkg install gnome2! That's precisely why I deleted the image, made a new one and reinstalled FreeBSD. So I could install gnome2 as a package with pkg_add! And then convert to pkgng. And, I do not want to install anything via ports if possible -- it takes far too long. So portmaster x11/gnome2 isn't desirable.

So, basically, I can't update with packages? The only way to update installs on FreeBSD is by using ports?

markbsd · Nov 18, 2013

wblock@ said:
The first thing it's trying to do is update pkg. That may improve the situation. Don't be afraid of ports, most do not take long to build.

Update pkg? How, with pkg update? That's been done. And ports take an eternity to build -- I quite literally despise them! I don't say that lightly either. For an example, it took 1.5 hours to build xombrero! Xombrero!!! You know how long it takes to install xombrero as a package? 5 minutes.

Don't go back to pkg_install, that's a dead end.

But if I don't, ALL updates/upgrades must be done with ports, right?

Savagedlight · Nov 18, 2013

markbsd said:
So, basically, I can't update with packages? The only way to update installs on FreeBSD is by using ports?

I don't know why you're unable to install gnome2. Do execute # pkg search gnome2 to see if you find the correct package name. Perhaps gnome2-lite is what you're looking for?

As for upgrading all installed packages (when an update is available), this can be done by executing # pkg upgrade and then inspect the list of tasks which will be performed.

markbsd said:
Update pkg? How, with pkg update?

# pkg update just fetches the latest package index. I believe pkg does this automatically when relevant, if the local index is old enough.

EDIT: According to x11/gnome2, it's just a meta-port. This might be why it's not currently available in pkgng format, although I don't know whether this is intended. Inspect that page and see which packages you'll have to install to get a full gnome2 desktop.

markbsd · Nov 18, 2013

Savagedlight said:
I don't know why you're unable to install gnome2. Do execute # pkg search gnome2 to see if you find the correct package name. Perhaps gnome2-lite is what you're looking for?

See this thread. I want the full gnome2 package -- not the lite install -- but it is not available as a package right now. A PR has been lodged.

As for upgrading all installed packages (when an update is available), this can be done by executing # pkg upgrade and then inspect the list of tasks which will be performed.

THANK YOU! Will pkg upgrade fix these vulnerabilities:

Code:

#  [CMD]pkg audit -F[/CMD]
auditfile.tbz                          100%   91KB  90.7KB/s  80.7KB/s   00:01    
gnupg-2.0.20_1 is vulnerable:
gnupg -- possible infinite recursion in the compressed packet parser

WWW: [url]http://portaudit.FreeBSD.org/749b558...9baab0cbe.html[/url]

gstreamer-ffmpeg-0.10.13 is vulnerable:
gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav

WWW: [url]http://portaudit.FreeBSD.org/4d087b3...ec565249c.html[/url]

libgcrypt-1.5.2 is vulnerable:
GnuPG and Libgcrypt -- side-channel attack vulnerability

WWW: [url]http://portaudit.FreeBSD.org/689c2bf...590860428.html[/url]

py27-pycrypto-2.6_1 is vulnerable:
pycrypto -- PRNG reseed race condition

WWW: [url]http://portaudit.FreeBSD.org/c0f122e...70e169bc2.html[/url]

4 problem(s) in your installed packages found.
#

and eliminate this error I keep encountering:

Code:

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/c2ph with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/config_data with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/corelist with:
	- perl5-5.16.3_2

???

markbsd · Nov 18, 2013

@Savagedlight, you're an absolute champion, my friend!!!

kpa · Nov 18, 2013

You can try to use something like this:

make -C /usr/ports/x11/gnome missing | xargs -n1 pkg install -y

What it does is to generate a list of ports that the meta-port x11/gnome2 requires and then feeds the lines one by one to pkg install -y (install without questions).

However, I can now possibly see why x11/gnome2 isn't in the package repo, some of the dependencies of it require perl version 5.14 while the default version is now 5.16. Such conflicts can not be yet handled gracefully because the ports(7) system has never been able to handle that situation properly but only to complain about conflicting versions.

markbsd · Nov 18, 2013

kpa said:
You can try to use something like this:

make -C /usr/ports/x11/gnome missing | xargs -n1 pkg install -y

What it does is to generate a list of ports that the meta-port x11/gnome2 requires and then feeds the lines one by one to pkg install -y (install without questions).

Thank you for this! I don't need it now because, as you know, I already went to great lengths to get GNOME2 on this install, but this is handy to know.

However, I can now possibly see why x11/gnome2 isn't in the package repo, some of the dependencies of it require perl version 5.14 while the default version is now 5.16.

This makes sense now! perl 5.14 is causing all these errors for me when I try to pkg install packages that require perl 5.16. Obviously, using pkg_add gnome2 installed the older perl, which, for some reason, won't automagically be updated with its later version when I try to install Firefox, for example. Why doesn't pkg install firefox just update perl 5.14 to 5.16 though? Why must it be done manually?

By the way, that security breach you linked me to is very disconcerting! I can't believe the FreeBSD.org servers were hacked!!! You'd think that would be one of the hardest hacks in the world. It makes news like this:

Pkg 1.2 will be released in the coming month which will bring many
improvements including officially signed packages.

very reassuring because, frankly, FreeBSD is quite a bit behind in package management.

markbsd · Nov 18, 2013

Okay. This is starting to really annoy me. pkg upgrade was going great, and then:

Code:

orca-2.32.1_2.txz                                  100% 1496KB 748.2KB/s   1.2MB/s   00:02    
Checking integrity...
Conflict found on path /usr/local/bin/a2p between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/c2ph between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/config_data between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/corelist between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/cpan between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

What do I do?

markbsd · Nov 18, 2013

I need to update perl-5.14 or delete it entirely and install perl-5.16.

markbsd · Nov 18, 2013

See:

Code:

# [CMD]pkg delete perl[/CMD]
pkg: Error while trying to delete packages, dependencies that are still required:
lang/perl5.14: devel/glib20, devel/gobject-introspection, devel/dbus-glib, sysutils/policykit, sysutils/polkit, sysutils/consolekit, sysutils/hal, x11-servers/xorg-server, x11-drivers/xf86-video-vesa, x11-drivers/xf86-video-radeonhd, x11-drivers/xf86-video-r128, x11-drivers/xf86-video-openchrome, x11-drivers/xf86-video-nv, x11-drivers/xf86-video-mach64, x11-drivers/xf86-video-i
<snip>
#

It won't even let me delete the damn thing!

I don't understand why this is happening. According to pkg help upgrade:

Finally, the work list is executed in dependency order. Package rein-
stall or update jobs are processed by removing the currently installed
package and immediately installing the replacement. New dependencies are
processed as installation jobs as part of the work list.

So, why isn't the process removing perl-5.14?

kpa · Nov 18, 2013

The security incident didn't have anything to do with the servers directly. What happened was that an SSH secret key (that is used for public key logins) got leaked from a client machine of one of the developers that had access to the package building cluster. Such breach could have happened to just about anybody and it's not know if the developer was using FreeBSD on the said client machine, it could have been Windows or OS X just as well.