Fwd: [tor-relays] FreeBSD 11.1 ZFS Tor Image

Roger Marquis marquis at roble.com
Tue Feb 27 19:30:47 UTC 2018

Shawn Webb wrote:
> There's no need for ROP, JOP, SROP, etc. on FreeBSD. FreeBSD is
> literally stuck in 1999-era security.

This is doubly true for ports, including Tor.  I submitted a vuxml entry
for apache-tomcat 5 days ago that still has not been committed.  A
follow-up resulted in two replies from a helpful member of the
ports-secteam, but which took as long to write as the vulxml would have
taken to validate and commit.  Its CVE is priority 7 (remotely
exploitable) but almost a week later pkg audit still won't tell you if
you're running an exploitable Tomcat.

The explanation I received is that the ports-secteam is a volunteer
effort and nobody really expects 'pkg audit' to be timely anyhow.

Such easily fixable problems.  Even the FreeBSD Foundation for all the
projects it funds, and could fund with +$2.5M in the bank, doesn't seem
to care.

Roger Marquis

More information about the freebsd-ports mailing list