New pkg audit / vuln.xml failures (php55, unzoo)
Andreas Andersson
a.andersson.thn at gmail.com
Sat May 23 15:55:04 UTC 2015
Is it enough to only update php55?
I could create a patch with relative easyness in that case.
2015-05-23 17:30 GMT+02:00 Roger Marquis <marquis at roble.com>:
> FYI regarding these new and significant failures of FreeBSD security
> policy and procedures.
>
> PHP55 vulnerabilities announced over a week ago
> <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still
> not been ported to lang/php55. You can, however, edit the Makefile,
> increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
> deinstall reinstall clean' to secure a server without waiting for the
> port to be updated. Older versions of PHP may also have unpatched
> vulnerabilities that are not noted in the vuln.xml database.
>
> New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg
> audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest
> convenience if you have these installed.
>
> HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
> depending on 'pkg audit' to report whether a server is secure it should
> be noted that this method is no longer reliable.
>
> If you find a vulnerability such as a new CVE or mailing list
> announcement please send it to the port maintainer and
> <ports-secteam at FreeBSD.org> as quickly as possible. They are whoefully
> understaffed and need our help. Though freebsd.org indicates that
> security alerts should be sent to <secteam at FreeBSD.org> this is
> incorrect. If the vulnerability is in a port or package send an alert to
> ports-secteam@ and NOT secteam@ as the secteam will generally not reply
> to your email or forward the alerts to ports-secteam.
>
> Roger
>
> Does anyone know what's going on with vuln.xml updates? Over the last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in some cases only showed up in
>> vuln.xml after several days and in other cases are still not listed
>> (despite email to the security team).
>>
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>
More information about the freebsd-ports
mailing list