11.2. Fixing Security Vulnerabilities

While on the subject of ports and packages, a security vulnerability may initially appear in the original distribution or in the port files. In the former case, the original software developer is likely to release a patch or a new version instantly. Update the port promptly with respect to the author's fix. If the fix is delayed for some reason, either mark the port as FORBIDDEN or introduce a patch file to the port. In the case of a vulnerable port, just fix the port as soon as possible. In either case, follow the standard procedure for submitting changes unless having rights to commit it directly to the ports tree.

Important:

Being a ports committer is not enough to commit to an arbitrary port. Remember that ports usually have maintainers, must be respected.

Please make sure that the port's revision is bumped as soon as the vulnerability has been closed. That is how the users who upgrade installed packages on a regular basis will see they need to run an update. Besides, a new package will be built and distributed over FTP and WWW mirrors, replacing the vulnerable one. Bump PORTREVISION unless PORTVERSION has changed in the course of correcting the vulnerability. That is, bump PORTREVISION if adding a patch file to the port, but do not bump it if updating the port to the latest software version and thus already touched PORTVERSION. Please refer to the corresponding section for more information.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <[email protected]>.
Send questions about this document to <[email protected]>.