New pkg audit / vuln.xml failures (php55, unzoo)
Roger Marquis
marquis at roble.com
Wed May 27 21:35:42 UTC 2015
>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
>> OpenBSD server operators) have no assurance that their systems are
>> secure.
>
> Slow down here for a second. Where's the command-line tool on RedHat or
> Debian that lists only the known vulnerable packages?
In RedHat you can create a security repo list (
grep "-security" /etc/apt/sources.list), install the security plugin (yum
install yum-plugin-security) and 'yum check-update --security' for the same
functionality as 'pkg audit -F'. Debian is even more obscure (apt-get upgrade
-o Dir::Etc::SourceList=/etc/apt/security.sources.list --just-print). FreeBSD
'pkg audit' is much cleaner but what difference does that make, really, when
you have a vulnerable package that isn't in the database?
> But that's not the end of the story. That
> command won't list vulnerabilities until they have a patch released.
> Let's look at CVE-2015-0209
> https://access.redhat.com/security/cve/CVE-2015-0209
> Release date was March 23rd.
No question there's variability in bugfix timeliness, especially for DOS-type
bugs like CVE-2015-0209. FreeBSD ports maintainers are also able to commit
patches and version updates much more quickly than their binary-only
competitors, as noted with the php55/Makefile tweak. In the past that's what
made FreeBSD a more secure OS to host applications on. But that's not the
main issue this thread has been about.
The issue that really matters from a security perspective is the completeness
of the vulnerability database, vuln.xml in our case.
> The grass is always greener... or is it?
>
> Let's just concentrate on how to improve things here and not worry about
> how they're handling security issues because they have their own unique
> problems to solve.
I must say I am disappointed in the response to this serious and significant
issue. My Redhat using co-workers, OTOH, are no doubt eating it up. Problem
is I'm not the only one who has to defend their business unit's use of FreeBSD
in a corporation that has otherwise nearly standardized on Redhat (and RH
security, bash notwithstanding).
Roger
More information about the freebsd-ports
mailing list