Python will not update

[scryptkiddy]

So I stood up a new system 8.2 amd64 on a Dell 1950 and after installing the ports that I needed I ran a

[CMD=""]#portaudit -Fda[/CMD]

to see if there were any known issues with the ports I had installed.

It came out with 2 hits:

....
Affected package: python25-2.5.6_2
Type of problem: Python -- DoS via malformed XML-RPC / HTTP POST request
.....
Affected package: python-2.5,2
Type of problem: Python -- DoS via malformed XML-RPC / HTTP POST request
....

So I tried to upgrade the port:

[CMD=""]#portmaster python[/CMD]

Output:

Working on:
 python25-2.5.6_2
 python-2.5,2

...Launching...
...Gathering...
...Starting Build...
...Cleaning for...

Please update your ports tree and try again
*** Error code 1 
Stop in /usr/ports/lang/python25
Make failed for lang/python25
Aborting update

Terminated

You can restart....

So I updated portstree:
[CMD=""]#portsnap fetch[/CMD]
[CMD=""]#portsnap update[/CMD]

Some patches came down (about 5), I reran the portmaster to upgrade python, same error.
So tried to update portstree again, it stated:

Latest snapshot on server matches what we already have. 
No updates needed.

Ideas?

SK

 

[vand777]

I might be wrong but I think that lang/python25 still has a security vulnerability as the patch has not been released yet. That's why portaudit prohibits the update. If you read the whole error output you will see the solution. You need to setup some flag to force the installation (do not remeber its name...).

 

[scryptkiddy]

Ahh, yeah, that makes sense.

I shoulda checked the ports under the freebsd.org site too see that... I did just now and sure enough python25-2.5.6_2 was the latest port version.

Many thanks

 

[vand777]

The below should help if you compile from sources:

# make -DDISABLE_VULNERABILITIES install clean

 

[scryptkiddy]

Does that option install the software with the vulnerabilities removed, or what does it do exactly?

 

[vand777]

Does that option install the software with the vulnerabilities removed, or what does it do exactly?

It just ignores that there is a vulnerability in the port and permits installation.

 

[wblock@]

That option should only be mentioned when there's also a strong warning that it defeats a security feature. Do not use it unless you have read about why the port is forbidden and decided that it is not a problem in your situation.

 

[scryptkiddy]

Interesting and good to know.

In this case, I already have the port installed, I was just trying to mitigate the vulnerability by upgrading the port via portmaster.

I didn't want to remove python, because I wasn't sure what applications would be hindered from functioning.

[CMD=""]#pkg_info -R python-2.5,2[/CMD]
and
[CMD=""]#pkg_info -R python25-2.5.6_2[/CMD]

It lists out other packages, but I'm not sure what it really affects in terms of usability for other applications in general.

So I'll wait for the patch for now.