# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2025-08-17 20:54+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/porters-handbook/security/_index.adoc:1 #, no-wrap msgid "Security instructions when making a FreeBSD Port" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/porters-handbook/security/_index.adoc:1 #, no-wrap msgid "Chapter 12. Security" msgstr "" #. type: Title = #: documentation/content/en/books/porters-handbook/security/_index.adoc:14 #, no-wrap msgid "Security" msgstr "" #. type: Title == #: documentation/content/en/books/porters-handbook/security/_index.adoc:52 #, no-wrap msgid "Why Security is So Important" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:58 msgid "" "Bugs are occasionally introduced to the software. Arguably, the most " "dangerous of them are those opening security vulnerabilities. From the " "technical viewpoint, such vulnerabilities are to be closed by exterminating " "the bugs that caused them. However, the policies for handling mere bugs and " "security vulnerabilities are very different." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:64 msgid "" "A typical small bug affects only those users who have enabled some " "combination of options triggering the bug. The developer will eventually " "release a patch followed by a new version of the software, free of the bug, " "but the majority of users will not take the trouble of upgrading immediately " "because the bug has never vexed them. A critical bug that may cause data " "loss represents a graver issue. Nevertheless, prudent users know that a lot " "of possible accidents, besides software bugs, are likely to lead to data " "loss, and so they make backups of important data; in addition, a critical " "bug will be discovered really soon." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:72 msgid "" "A security vulnerability is all different. First, it may remain unnoticed " "for years because often it does not cause software malfunction. Second, a " "malicious party can use it to gain unauthorized access to a vulnerable " "system, to destroy or alter sensitive data; and in the worst case the user " "will not even notice the harm caused. Third, exposing a vulnerable system " "often assists attackers to break into other systems that could not be " "compromised otherwise. Therefore closing a vulnerability alone is not " "enough: notify the audience of it in the most clear and comprehensive " "manner, which will allow them to evaluate the danger and take appropriate " "action." msgstr "" #. type: Title == #: documentation/content/en/books/porters-handbook/security/_index.adoc:74 #, no-wrap msgid "Fixing Security Vulnerabilities" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:82 msgid "" "While on the subject of ports and packages, a security vulnerability may " "initially appear in the original distribution or in the port files. In the " "former case, the original software developer is likely to release a patch or " "a new version instantly. Update the port promptly with respect to the " "author's fix. If the fix is delayed for some reason, either " "crossref:porting-dads[dads-noinstall,mark the port as `FORBIDDEN`] or " "introduce a patch file to the port. In the case of a vulnerable port, just " "fix the port as soon as possible. In either case, follow crossref:port-" "upgrading[port-upgrading,the standard procedure for submitting changes] " "unless having rights to commit it directly to the ports tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:87 msgid "" "Being a ports committer is not enough to commit to an arbitrary port. " "Remember that ports usually have maintainers, must be respected." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:95 msgid "" "Please make sure that the port's revision is bumped as soon as the " "vulnerability has been closed. That is how the users who upgrade installed " "packages on a regular basis will see they need to run an update. Besides, a " "new package will be built and distributed over FTP and WWW mirrors, " "replacing the vulnerable one. Bump `PORTREVISION` unless `DISTVERSION` has " "changed in the course of correcting the vulnerability. That is, bump " "`PORTREVISION` if adding a patch file to the port, but do not bump it if " "updating the port to the latest software version and thus already touched " "`DISTVERSION`. Please refer to the crossref:makefiles[makefile-naming-" "revepoch,corresponding section] for more information." msgstr "" #. type: Title == #: documentation/content/en/books/porters-handbook/security/_index.adoc:97 #, no-wrap msgid "Keeping the Community Informed" msgstr "" #. type: Title === #: documentation/content/en/books/porters-handbook/security/_index.adoc:100 #, no-wrap msgid "The VuXML Database" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:108 msgid "" "A very important and urgent step to take as early after a security " "vulnerability is discovered as possible is to notify the community of port " "users about the jeopardy. Such notification serves two purposes. First, if " "the danger is really severe it will be wise to apply an instant workaround. " "For example, stop the affected network service or even deinstall the port " "completely until the vulnerability is closed. Second, a lot of users tend " "to upgrade installed packages only occasionally. They will know from the " "notification that they _must_ update the package without delay as soon as a " "corrected version is available." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:112 msgid "" "Given the huge number of ports in the tree, a security advisory cannot be " "issued on each incident without creating a flood and losing the attention of " "the audience when it comes to really serious matters. Therefore security " "vulnerabilities found in ports are recorded in https://vuxml.freebsd.org/" "[the FreeBSD VuXML database]. The Security Officer Team members also " "monitor it for issues requiring their intervention." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:115 msgid "" "Committers can update the VuXML database themselves, assisting the Security " "Officer Team and delivering crucial information to the community more " "quickly. Those who are not committers or have discovered an exceptionally " "severe vulnerability should not hesitate to contact the Security Officer " "Team directly, as described on the https://www.freebsd.org/security/" "#how[FreeBSD Security Information] page." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:121 msgid "" "The VuXML database is an XML document. Its source file " "[.filename]#vuln.xml# is kept right inside the port package:security/" "vuxml[]. Therefore the file's full pathname will be [.filename]#PORTSDIR/" "security/vuxml/vuln.xml#. Each time a security vulnerability is discovered " "in a port, please add an entry for it to that file. Until familiar with " "VuXML, the best thing to do is to find an existing entry fitting the case at " "hand, then copy it and use it as a template." msgstr "" #. type: Title === #: documentation/content/en/books/porters-handbook/security/_index.adoc:123 #, no-wrap msgid "A Short Introduction to VuXML" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:135 msgid "" "The full-blown XML format is complex, and far beyond the scope of this " "book. However, to gain basic insight on the structure of a VuXML entry only " "the notion of tags is needed. XML tag names are enclosed in angle " "brackets. Each opening must have a matching closing . Tags may " "be nested. If nesting, the inner tags must be closed before the outer ones. " "There is a hierarchy of tags, that is, more complex rules of nesting them. " "This is similar to HTML. The major difference is that XML is " "e__X__tensible, that is, based on defining custom tags. Due to its " "intrinsic structure XML puts otherwise amorphous data into shape. VuXML is " "particularly tailored to mark up descriptions of security vulnerabilities." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:137 msgid "Now consider a realistic VuXML entry:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:184 #, no-wrap msgid "" " <.>\n" " Several vulnerabilities found in Foo <.>\n" " \n" " \n" " foo <.>\n" " foo-devel\n" " ja-foo\n" " 1.61.9 <.>\n" " 2.*2.4_1\n" " 3.0b1\n" " \n" " \n" " openfoo <.>\n" " 1.10_7 <.>\n" " 1.2,11.3_1,1\n" " \n" " \n" " \n" " \n" "

J. Random Hacker reports:

<.>\n" " \n" "

Several issues in the Foo software may be exploited\n" " via carefully crafted QUUX requests. These requests will\n" " permit the injection of Bar code, mumble theft, and the\n" " readability of the Foo administrator account.

\n" " \n" " \n" " \n" " <.>\n" " SA-10:75.foo <.>\n" " ports/987654 <.>\n" " CVE-2023-48795 <.>\n" " 740169 <.>\n" " SA10-99A <.>\n" " http://marc.theaimsgroup.com/?l=bugtraq&m=203886607825605 <.>\n" " http://j.r.hacker.com/advisories/1 <.>\n" " \n" " \n" " 2010-05-25 <.>\n" " 2010-07-13 <.>\n" " 2010-09-17 <.>\n" " \n" "\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:187 msgid "" "The tag names are supposed to be self-explanatory so we shall take a closer " "look only at fields which needs to be filled in:" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:190 msgid "" "This is the top-level tag of a VuXML entry. It has a mandatory attribute, " "`vid`, specifying a universally unique identifier (UUID) for this entry (in " "quotes). Generate a UUID for each new VuXML entry (and do not forget to " "substitute it for the template UUID unless writing the entry from scratch). " "Use man:uuidgen[1] to generate a VuXML UUID." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:192 msgid "This is a one-line description of the issue found." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:194 msgid "" "The names of packages affected are listed there. Multiple names can be given " "since several packages may be based on a single master port or software " "product. This may include stable and development branches, localized " "versions, and slave ports featuring different choices of important build-" "time configuration options." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:198 #, no-wrap msgid "" "Affected versions of the package(s) are specified there as one or more ranges using a combination of ``, ``, ``, ``, and `` elements. Check that the version ranges given do not overlap.\n" "In a range specification, `\\*` (asterisk) denotes the smallest version number. In particular, `2.*` is less than `2.a`. Therefore an asterisk may be used for a range to match all possible `alpha`, `beta`, and `RC` versions. For instance, `2.*3.*` will selectively match every `2.x` version while `2.03.0` will not since the latter misses `2.r3` and matches `3.b`.\n" "The above example specifies that affected are versions `1.6` and up to but not including `1.9`, versions `2.x` before `2.4_1`, and version `3.0b1`." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:200 msgid "" "Several related package groups (essentially, ports) can be listed in the " "`` section. This can be used if several software products (say " "FooBar, FreeBar and OpenBar) grow from the same code base and still share " "its bugs and vulnerabilities. Note the difference from listing multiple " "names within a single section." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:202 msgid "" "The version ranges have to allow for `PORTEPOCH` and `PORTREVISION` if " "applicable. Please remember that according to the collation rules, a version " "with a non-zero `PORTEPOCH` is greater than any version without `PORTEPOCH`, " "for example, `3.0,1` is greater than `3.1` or even than `8.9`." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:204 msgid "" "This is a summary of the issue. XHTML is used in this field. At least " "enclosing `

` and `

` has to appear. More complex mark-up may be used, " "but only for the sake of accuracy and clarity: No eye candy please." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:206 msgid "" "This section contains references to relevant documents. As many references " "as apply are encouraged." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:208 msgid "" "This is a https://www.freebsd.org/security/#adv[FreeBSD security advisory]." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:210 msgid "This is a https://www.freebsd.org/support/[FreeBSD problem report]." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:212 msgid "This is a https://cve.mitre.org/[MITRE CVE] identifier." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:214 msgid "This is a https://www.kb.cert.org/vuls/[US-CERT] vulnerability note." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:216 msgid "" "This is a https://www.cisa.gov/news-events/cybersecurity-advisories[US-CERT] " "Technical Cyber Security Alert." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:218 msgid "" "This is a URL to an archived posting in a mailing list. The attribute " "`msgid` is optional and may specify the message ID of the posting." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:220 msgid "" "This is a generic URL. Only it if none of the other reference categories " "apply." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:222 msgid "This is the date when the issue was disclosed (_YYYY-MM-DD_)." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:224 msgid "This is the date when the entry was added (_YYYY-MM-DD_)." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:226 msgid "" "This is the date when any information in the entry was last modified (_YYYY-" "MM-DD_). New entries must not include this field. Add it when editing an " "existing entry." msgstr "" #. type: Title === #: documentation/content/en/books/porters-handbook/security/_index.adoc:228 #, no-wrap msgid "Testing Changes to the VuXML Database" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:231 msgid "" "This example describes a new entry for a vulnerability in the package " "`dropbear` that has been fixed in version `dropbear-2013.59`." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:233 msgid "" "As a prerequisite, install a fresh version of package:security/vuxml[] port." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:236 msgid "" "First, check whether there already is an entry for this vulnerability. If " "there were such an entry, it would match the previous version of the " "package, `2013.58`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:240 #, no-wrap msgid "% pkg audit dropbear-2013.58\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:243 msgid "If there is none found, add a new entry for this vulnerability." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:248 #, no-wrap msgid "" "% cd ${PORTSDIR}/security/vuxml\n" "% make newentry\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:252 msgid "" "If the vulnerability has a https://cve.mitre.org/[MITRE CVE] identifier, the " "following command can be used instead:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:257 #, no-wrap msgid "" "% cd ${PORTSDIR}/security/vuxml\n" "% make newentry CVE_ID=CVE-YYYY-XXXXX\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:260 msgid "where `CVE-YYYYY-XXXX` is a valid CVE identifier." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:263 msgid "" "If the vulnerability is a FreeBSD Security Advisory, the following command " "can be used instead:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:268 #, no-wrap msgid "" "% cd ${PORTSDIR}/security/vuxml\n" "% make newentry SA_ID=FreeBSD-SA-YY-XXXXXX.asc\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:271 msgid "" "where `FreeBSD-SA-YY-XXXXXX.asc` is a published https://www.freebsd.org/" "security/advisories/[FreeBSD Security Advisory]." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:273 msgid "Verify its syntax and formatting:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:277 #, no-wrap msgid "% make validate\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:282 msgid "" "The previous command generates the [.filename]#vuln-flat.xml# file. It can " "also be generated with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:286 #, no-wrap msgid "% make vuln-flat.xml\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:291 msgid "" "At least one of these packages needs to be installed: package:textproc/" "libxml2[], package:textproc/jade[]." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:294 msgid "" "Verify that the `` section of the entry will match the correct " "packages:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:298 #, no-wrap msgid "% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:301 msgid "Make sure that the entry produces no spurious matches in the output." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:303 msgid "Now check whether the right package versions are matched by the entry:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:312 #, no-wrap msgid "" "% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59\n" "dropbear-2012.58 is vulnerable:\n" "dropbear -- exposure of sensitive information, DoS\n" "CVE: CVE-2013-4434\n" "CVE: CVE-2013-4421\n" "WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:314 #, no-wrap msgid "1 problem(s) in the installed packages found.\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:317 msgid "The former version matches while the latter one does not." msgstr "" #. type: Title === #: documentation/content/en/books/porters-handbook/security/_index.adoc:319 #, no-wrap msgid "VuXML new entry checklist" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:323 msgid "" "Check the name of the port. Sometimes the upstream project name is not " "exactly the same as the port name." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:327 msgid "" "Add all flavors. When a port has flavors all the package names need to be " "added as a `` in the entry. Use the following script to generate " "all flavored package names:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/porters-handbook/security/_index.adoc:331 #, no-wrap msgid "% for flavor in $(make -V FLAVORS); do FLAVOR=\"${flavor}\" make -VPKGNAME;done\n" msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:336 msgid "" "Check if the port has `PORTEPOCH`. The above script snippet helps with " "that. If the port uses `PORTEPOCH` it is mandatory to add it to the " "`` tag." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:340 msgid "" "Double check ranges. In the case of ranges limited on both sides, make sure " "that the `` and `` elements are inside the same `` tag. " "Otherwise the entry might end up defining an overlapping range." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:349 msgid "" "Cross-check derivatives. Check whether derivatives or forks of the project " "included in the ports tree are also affected. For example, if a " "vulnerability is discovered in package:www/firefox[], assess whether " "derivatives like package:www/librewolf[], package:www/waterfox[] or other " "similar projects share the same vulnerability. Include all affected " "derivatives in the VuXML entry, ensuring that users of these ports are " "informed. Also check if there are Linux versions of the same port in the " "tree. For instance, package:databases/sqlite3[] vulnerabilities most likely " "affect packages like package:databases/linux-c7-sqlite3[] too." msgstr "" #. type: Plain text #: documentation/content/en/books/porters-handbook/security/_index.adoc:349 msgid "Do not commit an entry without running `make validate` first." msgstr ""