New pkg audit / vuln.xml failures (php55, unzoo)

Roger Marquis marquis at roble.com
Wed May 27 17:40:35 UTC 2015 

>> If you find a vulnerability such as a new CVE or mailing list
>> announcement please send it to the port maintainer and
>> <ports-secteam at FreeBSD.org> as quickly as possible.  They are whoefully
>> understaffed and need our help.
Mark Felder wrote:
> Who is "ports-secteam"?

It was Xin Li who alerted me to the ports-secteam at freebsd.org address
i.e., as being distinct from the "FreeBSD Security Team"
(secteam at freebsd.org) address noted on
<https://www.freebsd.org/security/>.

> There has been no Call For Help that I've ever seen. If people are needed
> to process these CVEs so they are entered into VUXML, sign me up to
> ports-secteam please.

I believe that is part of the problem, or the multiple problems, that
lead me to believe that FreeBSD is operating without the active
involvement of a security officer.  Specifically:

  * port vulnerability alerts sent to secteam@, as indicated on the
  /security/ page, are neither forwarded to ports-secteam@ for review nor
  returned to the sender with a note regarding the correct destination
  address,

  * the freebsd.org/security web page is not correct and not being
  updated,

  * aside from Xin nobody from either ports-secteam@ or secteam@ much
  less security-officer@ seems to be reading or participating in the
  security@ mailing list,

  * nobody @freebsd.org appears to be following CVE announcements and the
  maintainers of several high profile ports are also not following it or
  even their application's -announce list,

  * there appears to be no automated process to alert vuln.xml maintainers
  (ports-secteam@) of potential new port vulnerabilities,

  * offers of help to secteam@ and ports-secteam@ are neither replied to
  nor acted upon (except for Xin Li's request, thanks Xin!),

  * perhaps as a result the vuln.xml database is no longer reliable, and
  by extension,

  * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
  OpenBSD server operators) have no assurance that their systems are secure.

This is a MAJOR CHANGE from just a couple of years ago which calls for an
equally major heads-up to be sent to those running FreeBSD servers and
looking to the freebsd.org website for help securing their systems.

The signifiance of these 7 bullets should not be overlooked or
understated.  They call in to question the viability of FreeBSD itself.

IMO,
Roger Marquis

More information about the freebsd-ports mailing list