New pkg audit / vuln.xml failures (php55, unzoo)
Roger Marquis
marquis at roble.com
Wed May 27 17:40:35 UTC 2015
>> If you find a vulnerability such as a new CVE or mailing list
>> announcement please send it to the port maintainer and
>> <ports-secteam at FreeBSD.org> as quickly as possible. They are whoefully
>> understaffed and need our help.
Mark Felder wrote:
> Who is "ports-secteam"?
It was Xin Li who alerted me to the ports-secteam at freebsd.org address
i.e., as being distinct from the "FreeBSD Security Team"
(secteam at freebsd.org) address noted on
<https://www.freebsd.org/security/>.
> There has been no Call For Help that I've ever seen. If people are needed
> to process these CVEs so they are entered into VUXML, sign me up to
> ports-secteam please.
I believe that is part of the problem, or the multiple problems, that
lead me to believe that FreeBSD is operating without the active
involvement of a security officer. Specifically:
* port vulnerability alerts sent to secteam@, as indicated on the
/security/ page, are neither forwarded to ports-secteam@ for review nor
returned to the sender with a note regarding the correct destination
address,
* the freebsd.org/security web page is not correct and not being
updated,
* aside from Xin nobody from either ports-secteam@ or secteam@ much
less security-officer@ seems to be reading or participating in the
security@ mailing list,
* nobody @freebsd.org appears to be following CVE announcements and the
maintainers of several high profile ports are also not following it or
even their application's -announce list,
* there appears to be no automated process to alert vuln.xml maintainers
(ports-secteam@) of potential new port vulnerabilities,
* offers of help to secteam@ and ports-secteam@ are neither replied to
nor acted upon (except for Xin Li's request, thanks Xin!),
* perhaps as a result the vuln.xml database is no longer reliable, and
by extension,
* operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
OpenBSD server operators) have no assurance that their systems are secure.
This is a MAJOR CHANGE from just a couple of years ago which calls for an
equally major heads-up to be sent to those running FreeBSD servers and
looking to the freebsd.org website for help securing their systems.
The signifiance of these 7 bullets should not be overlooked or
understated. They call in to question the viability of FreeBSD itself.
IMO,
Roger Marquis
More information about the freebsd-ports
mailing list