Install/upgrade a FreeBSD port despite vulnerability warnings
Submitted by Bram Schoenmakers on 23 February, 2009 - 13:43.
I tried to upgrade ZendFramework from 1.5.2 to ZendFramework 1.7.0. At that time, version 1.7.5 was already released, but I wanted 1.7.0 no matter what. However, when trying to do so with the clumsy portdowngrade and then portupgrade, the following error appeared:
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade.92460.0 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=ZendFramework-1.5.2 UPGRADE_PORT_VER=1.5.2 make
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
! www/zend-framework (ZendFramework-1.5.2) (unknown build error)
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
! www/zend-framework (ZendFramework-1.5.2) (unknown build error)
This does not reveal very much useful. Let's try to make the port manually, then:
bram# cd /usr/ports/www/zend-framework
bram# make
===> ZendFramework-1.7.0 has known vulnerabilities:
=> Zend Framework -- Local File Inclusion vulnerability in Zend_View::render().
Reference:
=> Please update your ports tree and try again.
*** Error code 1
bram# make
===> ZendFramework-1.7.0 has known vulnerabilities:
=> Zend Framework -- Local File Inclusion vulnerability in Zend_View::render().
Reference:
=> Please update your ports tree and try again.
*** Error code 1
Ah, so there are vulnerabilities in this port. But I still wish to install 1.7.0 right now. There's a way to tell portupgrade to ignore these security warnings and go on nevertheless:
portupgrade -m "DISABLE_VULNERABILITIES=yes" ZendFramework
This did the job as I would have expected.