squirrelmail vuln not published on vuxml ?
Matthieu Michaud
ohmer at epita.info
Fri Dec 29 05:15:55 PST 2006
Matthew Seaman wrote:
> Matthieu Michaud wrote:
>
>> if i'm not wrong, it seems like the security issue with squirrelmail
>> 1.4.8 published on squirrelmail.org is not reported on vuxml. shouldn't
>> it be ?
>
> It looks like a good candidate for that, yes. In order for such problems
> to find their way into vuxml the Security Team first has to be made aware
> of them. E-mail to sec-team at freebsd.org generally suffices, and it will
> help them if references to security advisories, reports on Bugtraq, Secunia
> and similar sites, CVE numbers etc. can be included in the report.
>
> However making that report (along with updating the port to fix the
> vulnerabilities) is the port maintainer's responsibility in the first
> instance -- only if the maintainer fails to reply or deal with your
> concerns should you go direct.
>
> When updating a port to fix a security hole, adding [security] to the
> synopsis (which becomes the Subject line in the gnats e-mails) and CC'ing
> sec-team at freebsd.org is generally sufficient to get appropriate entries
> made in vuxml and portaudit's DB.
>
> Cheers,
>
> Matthew
>
let's do it, maintainer CC'ed (please read above :p).
More information about the freebsd-ports
mailing list