Missing fixes for various ports in Q4 branch?

Vlad K. vlad-fbsd at acheronmedia.com
Tue Dec 5 11:47:31 UTC 2017


On 2017-12-05 12:32, Patrick M. Hausen wrote:
> 
> We relied on just updating the branch every night and running
> poudriere ... looks
> like I should implement something around pkg audit that sends us daily 
> status
> reports.

Yes, but note that pkgaudit depends on VuXML which is also not up to 
date (it's on the best effort basis just like MFH). There's some effort 
going on to automate CVE entries, but until that's implemented (and if 
at all, as automation depends on CPE which many ports do not have), I'd 
suggest tracking CVEs independently in order to be best informed. 
Following linux distros secvuln announcements (Canonical's, RedHat's, 
Debian's) is a good start, so is being subscribed to oss-seclist, and of 
course the NVD or Mitre feeds themselves.

* https://usn.ubuntu.com/usn/rss.xml
* https://www.debian.org/security/dsa
* https://cve.mitre.org/

It'd be very helpful if bug reports would be filed on FreeBSD's bugzilla 
(https://bugs.freebsd.org) tagged with keyword "security" if any 
undocumented vulns (not submitted to VuXML) are found.



-- 
Vlad K.


More information about the freebsd-ports mailing list