Fwd: [tor-relays] FreeBSD 11.1 ZFS Tor Image
Roger Marquis
marquis at roble.com
Tue Feb 27 19:30:47 UTC 2018
Shawn Webb wrote:
> There's no need for ROP, JOP, SROP, etc. on FreeBSD. FreeBSD is
> literally stuck in 1999-era security.
This is doubly true for ports, including Tor. I submitted a vuxml entry
for apache-tomcat 5 days ago that still has not been committed. A
follow-up resulted in two replies from a helpful member of the
ports-secteam, but which took as long to write as the vulxml would have
taken to validate and commit. Its CVE is priority 7 (remotely
exploitable) but almost a week later pkg audit still won't tell you if
you're running an exploitable Tomcat.
The explanation I received is that the ports-secteam is a volunteer
effort and nobody really expects 'pkg audit' to be timely anyhow.
Such easily fixable problems. Even the FreeBSD Foundation for all the
projects it funds, and could fund with +$2.5M in the bank, doesn't seem
to care.
Roger Marquis
More information about the freebsd-ports
mailing list