From a4edb91a3ec000d0f85cb335dfbf1bc3f0ff8f88 Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Mon, 5 Sep 2011 12:00:45 +0000 Subject: [PATCH] Improve the entry on generating new vuxml entries. This includes changes to the grammar and punctuation, as well as adding details about the mechanics of running portaudit. This change also incorporates the changes from the PR to text no longer relevant since 4.x days. PR: docs/160470 Submitted by: eadler --- .../books/porters-handbook/book.sgml | 80 ++++++++++--------- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/en_US.ISO8859-1/books/porters-handbook/book.sgml b/en_US.ISO8859-1/books/porters-handbook/book.sgml index ef03bd8eb1..8a564be8d2 100644 --- a/en_US.ISO8859-1/books/porters-handbook/book.sgml +++ b/en_US.ISO8859-1/books/porters-handbook/book.sgml @@ -9897,60 +9897,60 @@ as .putsy.conf and edit it. The VuXML database - A very important and urgent step to take as early as - a security vulnerability is discovered is to notify the + A very important and urgent step to take as early after + a security vulnerability is discovered as possible is to notify the community of port users about the jeopardy. Such notification serves two purposes. First, should the danger - be really severe, it will be wise to apply an instant workaround, - e.g., stop the affected network service or even deinstall - the port completely, until the vulnerability is closed. + be really severe it will be wise to apply an instant workaround. + E.g., stop the affected network service or even deinstall + the port completely until the vulnerability is closed. Second, a lot of users tend to upgrade installed packages - just occasionally. They will know from the notification + only occasionally. They will know from the notification that they must update the package without delay as soon as a corrected version is available. - Given the huge number of ports in the tree, + Given the huge number of ports in the tree a security advisory cannot be issued on each incident without creating a flood and losing the attention of - the audience by the time it comes to really serious + the audience when it comes to really serious matters. Therefore security vulnerabilities found in ports are recorded in the FreeBSD VuXML database. The Security Officer Team members - are monitoring it for issues requiring their + also monitor it for issues requiring their intervention. - If you have committer rights, you can update the VuXML + If you have committer rights you can update the VuXML database by yourself. So you will both help the Security Officer Team and deliver the crucial information to the community earlier. However, if you are not a committer, or you believe you have found an exceptionally severe - vulnerability, or whatever, please do not hesitate to + vulnerability please do not hesitate to contact the Security Officer Team directly as described on the FreeBSD Security Information page. - All right, you elected the hard way. As it may be obvious - from its title, the VuXML database is essentially an + As may be obvious + from its title the VuXML database is an XML document. Its source file vuln.xml is kept right inside the port security/vuxml. Therefore the file's full pathname will be PORTSDIR/security/vuxml/vuln.xml. Each time you discover a security vulnerability in a - port, please add an entry for it to that file. + port please add an entry for it to that file. Until you are familiar with VuXML, the best thing you can do is to find an existing entry fitting your case, then copy - it and use as a template. + it and use it as a template. A short introduction to VuXML - The full-blown XML is complex and far beyond the scope of + The full-blown XML format is complex, and far beyond the scope of this book. However, to gain basic insight on the structure - of a VuXML entry, you need only the notion of tags. XML + of a VuXML entry you need only the notion of tags. XML tag names are enclosed in angle brackets. Each opening <tag> must have a matching closing </tag>. Tags may be nested. If nesting, the inner tags must be @@ -9958,7 +9958,7 @@ as .putsy.conf and edit it. tags, i.e. more complex rules of nesting them. Sounds very similar to HTML, doesn't it? The major difference is that XML is eXtensible, i.e. based - on defining custom tags. Due to its intrinsic structure, + on defining custom tags. Due to its intrinsic structure XML puts otherwise amorphous data into shape. VuXML is particularly tailored to mark up descriptions of security vulnerabilities. @@ -10014,7 +10014,7 @@ as .putsy.conf and edit it. </dates> </vuln> - The tag names are supposed to be self-descriptive, + The tag names are supposed to be self-explanatory so we shall take a closer look only at fields you will need to fill in by yourself: @@ -10027,12 +10027,7 @@ as .putsy.conf and edit it. for each new VuXML entry (and do not forget to substitute it for the template UUID unless you are writing the entry from scratch). You can use &man.uuidgen.1; to - generate a VuXML UUID; alternatively, if you are using - FreeBSD 4.x, you may install the port devel/p5-Data-UUID and issue - the following command: - - perl -MData::UUID -le 'print lc new Data::UUID->create_str' + generate a VuXML UUID. @@ -10223,26 +10218,37 @@ as .putsy.conf and edit it. vulnerability in the package clamav that has been fixed in version 0.65_7. - As a prerequisite, you need to install fresh versions of the - ports ports-mgmt/portaudit and - ports-mgmt/portaudit-db. + As a prerequisite, you need to install fresh versions of the + ports ports-mgmt/portaudit, + ports-mgmt/portaudit-db, and + security/vuxml. + + + To run packaudit you must have + permission to write to its + DATABASEDIR, + typically /var/db/portaudit. + + To use a different directory set the + DATABASEDIR + environment variable to a different location. + + If you are working in a directory other than + ${PORTSDIR}/security/vuxml set the + VUXMLDIR + environment variable to the directory where + vuln.xml is located. + First, check whether there already is an entry for this - vulnerability. If there were such entry, it would match the + vulnerability. If there were such an entry, it would match the previous version of the package, 0.65_6: &prompt.user; packaudit &prompt.user; portaudit clamav-0.65_6 - - To run packaudit, you must have - permission to write to its - DATABASEDIR, - typically /var/db/portaudit. - - - If there is none found, you get the green light to add + If there is none found, you have the green light to add a new entry for this vulnerability. Now you can generate a brand-new UUID (assume it's 74a9541d-5d6c-11d8-80e3-0020ed76ef5a) and