New pkg audit / vuln.xml failures (php55, unzoo)

Remko Lodder remko at FreeBSD.org
Sat May 23 18:28:52 UTC 2015 

Please send these things to ports-secteam at FreeBSD.org so that they
can have a look at these please.

Thanks,
Remko

> On 23 May 2015, at 17:30, Roger Marquis <marquis at roble.com> wrote:
> 
> FYI regarding these new and significant failures of FreeBSD security
> policy and procedures.
> 
> PHP55 vulnerabilities announced over a week ago
> <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still
> not been ported to lang/php55.  You can, however, edit the Makefile,
> increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
> deinstall reinstall clean' to secure a server without waiting for the
> port to be updated.  Older versions of PHP may also have unpatched
> vulnerabilities that are not noted in the vuln.xml database.
> 
> New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg
> audit -F' or vuln.xml.  Run 'pkg remove unzoo zoo' at your earliest
> convenience if you have these installed.
> 
>  HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
>  depending on 'pkg audit' to report whether a server is secure it should
>  be noted that this method is no longer reliable.
> 
> If you find a vulnerability such as a new CVE or mailing list
> announcement please send it to the port maintainer and
> <ports-secteam at FreeBSD.org> as quickly as possible.  They are whoefully
> understaffed and need our help.  Though freebsd.org indicates that
> security alerts should be sent to <secteam at FreeBSD.org> this is
> incorrect.  If the vulnerability is in a port or package send an alert to
> ports-secteam@ and NOT secteam@ as the secteam will generally not reply
> to your email or forward the alerts to ports-secteam.
> 
> Roger
> 
>> Does anyone know what's going on with vuln.xml updates?  Over the last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in some cases only showed up in
>> vuln.xml after several days and in other cases are still not listed
>> (despite email to the security team).
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

--
/"\   Best regards,                      | remko at FreeBSD.org
\ /   Remko Lodder                       | remko at EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150523/566648d7/attachment.sig>

More information about the freebsd-ports mailing list