New pkg audit / vuln.xml failures (php55, unzoo)

Matthew Donovan kitche at kitchetech.com
Wed May 27 19:34:12 UTC 2015 

I found the ports security reporting without issues
http://www.freebsd.org/security/reporting.html. Appears someone  should
read reporting page Instead of saying information is not correct.
On May 27, 2015 12:40 PM, "Roger Marquis" <marquis at roble.com> wrote:

> If you find a vulnerability such as a new CVE or mailing list
>>> announcement please send it to the port maintainer and
>>> <ports-secteam at FreeBSD.org> as quickly as possible.  They are whoefully
>>> understaffed and need our help.
>>>
>> Mark Felder wrote:
>
>> Who is "ports-secteam"?
>>
>
> It was Xin Li who alerted me to the ports-secteam at freebsd.org address
> i.e., as being distinct from the "FreeBSD Security Team"
> (secteam at freebsd.org) address noted on
> <https://www.freebsd.org/security/>.
>
>  There has been no Call For Help that I've ever seen. If people are needed
>> to process these CVEs so they are entered into VUXML, sign me up to
>> ports-secteam please.
>>
>
> I believe that is part of the problem, or the multiple problems, that
> lead me to believe that FreeBSD is operating without the active
> involvement of a security officer.  Specifically:
>
>  * port vulnerability alerts sent to secteam@, as indicated on the
>  /security/ page, are neither forwarded to ports-secteam@ for review nor
>  returned to the sender with a note regarding the correct destination
>  address,
>
>  * the freebsd.org/security web page is not correct and not being
>  updated,
>
>  * aside from Xin nobody from either ports-secteam@ or secteam@ much
>  less security-officer@ seems to be reading or participating in the
>  security@ mailing list,
>
>  * nobody @freebsd.org appears to be following CVE announcements and the
>  maintainers of several high profile ports are also not following it or
>  even their application's -announce list,
>
>  * there appears to be no automated process to alert vuln.xml maintainers
>  (ports-secteam@) of potential new port vulnerabilities,
>
>  * offers of help to secteam@ and ports-secteam@ are neither replied to
>  nor acted upon (except for Xin Li's request, thanks Xin!),
>
>  * perhaps as a result the vuln.xml database is no longer reliable, and
>  by extension,
>
>  * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
>  OpenBSD server operators) have no assurance that their systems are secure.
>
> This is a MAJOR CHANGE from just a couple of years ago which calls for an
> equally major heads-up to be sent to those running FreeBSD servers and
> looking to the freebsd.org website for help securing their systems.
>
> The signifiance of these 7 bullets should not be overlooked or
> understated.  They call in to question the viability of FreeBSD itself.
>
> IMO,
> Roger Marquis
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>

More information about the freebsd-ports mailing list