Updating ports for security reasons

R

RichardM

Hello, I'm new to FreeBSD, from a Linux/HP-UX background - migrating due to Linux constantly changing, and requirements at work to remove old HP kit. Firstly, I'd like to say thanks for a great quality operating system - still can't believe I just did a binary upgrade from 9.0-RELEASE to 9.1-RELEASE and didn't have to recompile Nvidia drivers or Virtualbox.

I have set up my home workstation by gradually working through the handbook, my impression being that FreeBSD is reasonably easy to administer, if you take the time to research what it's doing. The workstation is used for surfing the net/coding/number crunching/multimedia, and doesn't run any servers. I have now started upgrading ports identified by portaudit, and am worried about security, as the machine has been running at 9.0-RELEASE for two months without updates. Should I really be worried about this, or am I being too paranoid?

For example, I have updated the flash plugin now, but has FreeBSD been targeted at all for malware via flash? I wondered, is there is a "knowledge base" somewhere of how FreeBSD gets hacked or targeted in practice?
 
ports-mgmt/portaudit gets its information directly from the FreeBSD VuXML database.

Certainly it's good to keep ports up to date for security reasons, but FreeBSD as a target is not nearly as vulnerable as some other systems. A lot of services are not started by default, for instance. Many things that are commonly found elsewhere are not even installed by default.

my impression being that FreeBSD is reasonably easy to administer, if you take the time to research what it's doing
Click to expand...

Just wanted to quote that because it's well said.
 
RichardM said:
For example, I have updated the flash plugin now, but has FreeBSD been targeted at all for malware via flash? I wondered, is there is a "knowledge base" somewhere of how FreeBSD gets hacked or targeted in practice?
Click to expand...

The flash and java exploits are targeted at windows platform in almost every case, I'm very doubtful that any of them would ever work on FreeBSD the way the creator of the exploit intended.

It's usual to get hacked via a vulnerability in a service that you expose to the internet, a web server and PHP is probably the most common one. This implies that if you don't expose any services on your system, e.g. a pure workstation system, you're pretty safe.
 
Thanks for your help - I'll stop worrying, and won't reinstall FreeBSD :)

I was tying myself in knots thinking the kids could have run a flash game with malware that then used a recent vulnerability in libXfont to exploit Xorg - but I guess that is pretty far-fetched. With SLE (SUSE Linux Enterprise) there was a constant stream of flash/firefox updates from Novell, but then keeping software up-to-date that wasn't from the SLE repositories was difficult.

I prefer the FreeBSD approach, as it makes you understand what's going on "under the hood". For example, I have ignored the message about libotr from portaudit, as the problem looks like it's next to impossible to exploit, and /usr/ports/UPDATING says use portmaster -r libotr, which ends up wanting to recompile KDE etc.

Thanks again!
 
I would do the upgrade anyway, just to avoid any known problems. But then, I don't run KDE, mostly because it's just so big. You could install a lightweight window manager like x11-wm/fluxbox to use while KDE is being rebuilt.
 
You must log in or register to reply here.
Back
Top