New pkg audit FNs

Matthew Seaman matthew at
Mon Oct 9 16:17:36 UTC 2017

On 09/10/2017 16:57, Roger Marquis wrote:
> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
> there's no mention of it in the vulnerability database  The tomcat8
> port's Makefile also still points to the older, vulnerable version.
> Tomcat is one of those popular, internet-facing applications that sites
> need to check and/or update quickly when CVEs are released and most
> admins probably don't expect "pkg audit" to throw false negatives.

Ports-secteam (and secteam, for that matter) will update VuXML when they
know about vulnerabilities that affect FreeBSD ports, however the usual
mechanism is that the port maintainer either updates VuXML themselves
directly or tells the appropriate people that there are vulnerabilities
that need to be recorded.

Ports-secteam do not try and track CVEs for everything in the ports:
that's probably unfeasible given that it's a volunteer effort.

The latest tomcat advisories being missing from VuXML is a symptom of
the perennial problem: nobody stepping up to do the work.

pkg-audit(8) has been pretty good at reporting problems, but it always
has been a best-efforts thing, and there's no guarrantee it will be



More information about the freebsd-ports mailing list