New pkg audit FNs
Jan Beich
jbeich at FreeBSD.org
Mon Oct 9 20:35:00 UTC 2017
Matthew Seaman <matthew at FreeBSD.org> writes:
> On 09/10/2017 16:57, Roger Marquis wrote:
>
>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>> there's no mention of it in the vulnerability database The tomcat8
>> port's Makefile also still points to the older, vulnerable version.
>> Tomcat is one of those popular, internet-facing applications that sites
>> need to check and/or update quickly when CVEs are released and most
>> admins probably don't expect "pkg audit" to throw false negatives.
>
> Ports-secteam (and secteam, for that matter) will update VuXML when they
> know about vulnerabilities that affect FreeBSD ports, however the usual
> mechanism is that the port maintainer either updates VuXML themselves
> directly or tells the appropriate people that there are vulnerabilities
> that need to be recorded.
What happened to querying CVE database using CPE strings? ENOTIME is a
common disease in volunteer projects, ports-secteam@ is no exception.
Finding missing entries is trivial if one looks at Debian tracker.
Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
are fixed in the port.
https://wiki.freebsd.org/Ports/CPE
More information about the freebsd-ports
mailing list