Solved [Solved] How to deal with security updates using pkgng?

href · May 15, 2014

I've recently introduced FreeBSD to our server fleet in the form of an internal backup server. The main reason being the nice integration of ZFS. I'm used to administering Linux servers and I'm just getting my feet wet with FreeBSD, so please bear with me.

I'm using FreeBSD 10.0 with PKGNG to install all my packages. I have not done it any other way so far (I really only need rsnapshot and python). Everything is working well but last night the daily periodic email informed me that libxml2-2.8.0_5 has a security vulnerability:

Checking for packages with security vulnerabilities:
libxml2-2.8.0_5

My question is, how do I deal with this vulnerability in particular and future vulnerabilities in general? pkg update && pkg upgrade does not yet yield any result - it seems that the binary ports have not yet been updated with a new libxml2 release. Do I simply wait?

This is not a serious problem for me at this point - this being an internal server with no exposure - but what if this was Heartbleed? Would PKGNGs official repository be updated swiftly or would it be my responsibility to compile my own packages?

Thanks for your help!

href

kpa · May 15, 2014

Re: How to deal with security updates using pkgng?

You have to wait until the next batch of packages is built, this can take up to a week for the new PKGNG packages because of limited resources available for building them. If you absolutely have to update now you can build the updated package from an up to date ports tree.

make -C /usr/ports/textproc/libxml2 clean reinstall clean

For anyone else stumbling on this thread, this should be enough deterrent to not use FreeBSD 10.0-RELEASE in any serious production because you're quite on your own with these issues and you have to know what you're doing. The next release 10.1-RELEASE will have much better support because by the time it has been released the support for the old style packages is gone and the all package building resources can be dedicated to PKGNG packages.

href · May 15, 2014

Re: How to deal with security updates using pkgng?

Thank you, that answers my question.

kpa said:
For anyone else stumbling on this thread, this should be enough deterrent to not use FreeBSD 10.0-RELEASE in any serious production because you're quite on your own with these issues and you have to know what you're doing. The next release 10.1-RELEASE will have much better support because by the time it has been released the support for the old style packages is gone and the all package building resources can be dedictaed to PKGNG packages.

Is it generally a bad idea to run the latest RELEASE of FreeBSD? Should I stick to a legacy release? Or is it just the case with the 10.0 release as it fully embraces PKGNG?

kpa · May 15, 2014

Re: How to deal with security updates using pkgng?

href said:
Thank you, that answers my question.

kpa said:

For anyone else stumbling on this thread, this should be enough deterrent to not use FreeBSD 10.0-RELEASE in any serious production because you're quite on your own with these issues and you have to know what you're doing. The next release 10.1-RELEASE will have much better support because by the time it has been released the support for the old style packages is gone and the all package building resources can be dedicted to PKGNG packages.

Click to expand...

Is it generally a bad idea to run the latest RELEASE of FreeBSD? Should I stick to a legacy release? Or is it just the case with the 10.0 release as it fully embraces pkgng?

No, using the RELEASE versions is a good idea and usually the best bet for getting support. However, 10.0-RELEASE and X.0-RELEASE versions in general are a special case because they haven't been trough as good development and testing cycle as the later releases will have. X.0-RELEASE versions are more like "BETA versions" for early adopters than full release versions.

Yes, the switch to PKGNG packages also complicates matters somewhat.

href · May 15, 2014

Re: How to deal with security updates using pkgng?

I see, thank you very much for your help!

Edit: For future reference, this is what I ended up doing on a local staging image, which solves the problem with libxml2:

Code:

portsnap fetch
portsnap extract
portsnap update
make -C /usr/ports/textproc/libxml2 clean reinstall clean

The portsnap extract command was probably unnecessary, but I run it anyway, because I haven't done so before.
See http://www.freebsd.org/doc/handbook/ports-using.html

After this the following command did not report any problems anymore:

Code:

pkg audit -F