Vulnerabilities not included into FreeBSD vuxml

Roger Marquis marquis at
Tue Oct 25 01:23:50 UTC 2016

>> MySQL -
>> cpuoct2016-2881722.html#AppendixMSQL
>> VirtualBox -
>> cpuoct2016-2881722.html#AppendixOVIR
> I don't use My SQL, but the list does not include any CVEs that are
> applicable to the versions currently in ports. Ot at least MySQL 5.5. and
> VirtualBox. (Packages lag a bit and I imagine that 5.5.53 (MySQL) and 5.1.8
> (VB) may not be available in all repos for a couple of days.)

Many of us see this as a major weakness in the FreeBSD security model.
The fact that a port or package was deprecated after being installed is
simply not a good reason for not listing it in the vulnxml.  I say this
from experience have had to inform more than one FreeBSD site that they
were hosting known insecure software when they had previously trusted
'pkg audit'.

Roger Marquis

More information about the freebsd-ports mailing list