New pkg audit FNs

Jan Beich jbeich at
Mon Oct 9 20:35:00 UTC 2017

Matthew Seaman <matthew at> writes:

> On 09/10/2017 16:57, Roger Marquis wrote:
>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>> there's no mention of it in the vulnerability database  The tomcat8
>> port's Makefile also still points to the older, vulnerable version.
>> Tomcat is one of those popular, internet-facing applications that sites
>> need to check and/or update quickly when CVEs are released and most
>> admins probably don't expect "pkg audit" to throw false negatives.
> Ports-secteam (and secteam, for that matter) will update VuXML when they
> know about vulnerabilities that affect FreeBSD ports, however the usual
> mechanism is that the port maintainer either updates VuXML themselves
> directly or tells the appropriate people that there are vulnerabilities
> that need to be recorded.

What happened to querying CVE database using CPE strings? ENOTIME is a
common disease in volunteer projects, ports-secteam@ is no exception.
Finding missing entries is trivial if one looks at Debian tracker.
Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
are fixed in the port.

More information about the freebsd-ports mailing list