New pkg audit / vuln.xml failures (php55, unzoo)
Matthew Donovan
kitche at kitchetech.com
Wed May 27 19:34:12 UTC 2015
I found the ports security reporting without issues
http://www.freebsd.org/security/reporting.html. Appears someone should
read reporting page Instead of saying information is not correct.
On May 27, 2015 12:40 PM, "Roger Marquis" <marquis at roble.com> wrote:
> If you find a vulnerability such as a new CVE or mailing list
>>> announcement please send it to the port maintainer and
>>> <ports-secteam at FreeBSD.org> as quickly as possible. They are whoefully
>>> understaffed and need our help.
>>>
>> Mark Felder wrote:
>
>> Who is "ports-secteam"?
>>
>
> It was Xin Li who alerted me to the ports-secteam at freebsd.org address
> i.e., as being distinct from the "FreeBSD Security Team"
> (secteam at freebsd.org) address noted on
> <https://www.freebsd.org/security/>.
>
> There has been no Call For Help that I've ever seen. If people are needed
>> to process these CVEs so they are entered into VUXML, sign me up to
>> ports-secteam please.
>>
>
> I believe that is part of the problem, or the multiple problems, that
> lead me to believe that FreeBSD is operating without the active
> involvement of a security officer. Specifically:
>
> * port vulnerability alerts sent to secteam@, as indicated on the
> /security/ page, are neither forwarded to ports-secteam@ for review nor
> returned to the sender with a note regarding the correct destination
> address,
>
> * the freebsd.org/security web page is not correct and not being
> updated,
>
> * aside from Xin nobody from either ports-secteam@ or secteam@ much
> less security-officer@ seems to be reading or participating in the
> security@ mailing list,
>
> * nobody @freebsd.org appears to be following CVE announcements and the
> maintainers of several high profile ports are also not following it or
> even their application's -announce list,
>
> * there appears to be no automated process to alert vuln.xml maintainers
> (ports-secteam@) of potential new port vulnerabilities,
>
> * offers of help to secteam@ and ports-secteam@ are neither replied to
> nor acted upon (except for Xin Li's request, thanks Xin!),
>
> * perhaps as a result the vuln.xml database is no longer reliable, and
> by extension,
>
> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
> OpenBSD server operators) have no assurance that their systems are secure.
>
> This is a MAJOR CHANGE from just a couple of years ago which calls for an
> equally major heads-up to be sent to those running FreeBSD servers and
> looking to the freebsd.org website for help securing their systems.
>
> The signifiance of these 7 bullets should not be overlooked or
> understated. They call in to question the viability of FreeBSD itself.
>
> IMO,
> Roger Marquis
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>
More information about the freebsd-ports
mailing list