Vulnerabilities not included into FreeBSD vuxml
Roger Marquis
marquis at roble.com
Tue Oct 25 01:23:50 UTC 2016
>> MySQL - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixMSQL
>> VirtualBox - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixOVIR
>>
>
> I don't use My SQL, but the list does not include any CVEs that are
> applicable to the versions currently in ports. Ot at least MySQL 5.5. and
> VirtualBox. (Packages lag a bit and I imagine that 5.5.53 (MySQL) and 5.1.8
> (VB) may not be available in all repos for a couple of days.)
Many of us see this as a major weakness in the FreeBSD security model.
The fact that a port or package was deprecated after being installed is
simply not a good reason for not listing it in the vulnxml. I say this
from experience have had to inform more than one FreeBSD site that they
were hosting known insecure software when they had previously trusted
'pkg audit'.
Roger Marquis
More information about the freebsd-ports
mailing list