New pkg audit / vuln.xml failures (php55, unzoo)
Sevan / Venture37
venture37 at gmail.com
Fri May 29 14:21:05 UTC 2015
On 28 May 2015 at 17:47, Bryan Drewery <bdrewery at freebsd.org> wrote:
> I think the VUXML database needs to be simpler to contribute to. Only a
> handful of committers feel comfortable touching the file. We have also
> had the wrong pervasive mentality by committers and users that the vuxml
> database should only have an entry if there is a committed fix. This is
> totally wrong. These CVE are _already public_ in all of these cases.
> Users deserve to know that there is a known issue with a package they
> have installed. I can understand how the mentality grew to what it is
> with some people, but the fact that there is not an update doesn't
> change that the user's system is insecure and needs to be dealt with. If
> the tool can't reliably report issues then it is not worth trusting.
> TL;DR; the file needs to be simpler. I know there is an effort to use
> CPE but I'm not too familiar with where it is going.
May a I suggest a more pragmatic format of package+version, type of
issue, url for further info.
> The RedHat security team and reporting is very impressive. Don't forget
> that they are a funded company though. Perhaps the FreeBSD Foundation
> needs to fund a fulltime security officer that is devoted to both Ports
> and Src. Just the Ports piece is easily a fulltime job.
There seems to be a lot of eyes on the ports-bugs@ list from the
community, a heads up about vulnerabilities via the bug tracker may
help in the meantime?
Sevan / Venture37
More information about the freebsd-ports
mailing list