CVE-2014-0160?
Matthew Seaman
matthew at FreeBSD.org
Fri Apr 11 20:57:08 UTC 2014
On 11/04/2014 15:34, Erik Trulsson wrote:
> Quoting sbremal at hotmail.com:
>
>> I receive daily email from the host which normally shows port audits
>> and vulnerabilities. However, I did not sport anything related to
>> CVE-2014-0160 in this email. I expected the same info comes in this
>> email about the base system as well.
>>
>> How do you normally inform about recent vulnerability in the base
>> system? (I believe newspaper and TV is not the best way...)
>
> No, the port audit system does not cover base system vulnerabilities.
>
> Security advisories regarding the base systems are supposed to be sent by
> e-mail to the following mailing lists:
>
> FreeBSD-security-notifications at FreeBSD.org
> FreeBSD-security at FreeBSD.org
> FreeBSD-announce at FreeBSD.org
>
> Personally I would recommend all FreeBSD users to subscribe to the
> freebsd-announce list at least.
portaudit is rapidly becoming obsolete. Today's alternative is pkg-audit(8)
One of the non obvious things about the switch from portaudit to pkg
audit is that pkg audit uses the standard vuxml vulnerability database
directly, whereas portaudit used it's own vulnerability data which was
essentially a heavily trimmed extract from vuxml.
The interesting thing about vuxml is that it is quite possible to write
vulnerability entries for the base system. Eg.
http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.html
This is applied inconsistently though. While there is an entry for
OpenSSL Heartbleed, it doesn't contain any reference to the FreeBSD base
system and the security advisories (at least, not at the time I was
writing this...)
It's also not a feature of pkg audit or any other tool I am aware of
that it can warn about base system vulnerabilities. Such functionality
would be very welcome though.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140411/d11ad367/attachment.sig>
More information about the freebsd-security
mailing list