Quarterly packages and security updates...

Mason Loring Bliss mason at blisses.org
Thu Aug 13 20:28:38 UTC 2015 

A recently quarterly report:

    https://www.freebsd.org/news/status/report-2015-04-2015-06.html

and last week's BSD Now episode both hint that quarterly packages will be the
default for 10.2. I just looked, and sure enough:

    https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup

So, my issue here is that I run quarterly branches, and they are awful in
terms of security updates. With FreeBSD 10.2 imminent, are we expecting users
to install vulnerable versions of things like Firefox right off the bat, and
then wait for whatever fixes exist at the time the next quarterly branch is
cut?

A pkg audit against an up-to-date package set is pretty disappointing:

/usr/ports# pkg audit -F
vulnxml file up-to-date
libvpx-1.4.0 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

libxul-38.1.0 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

sox-14.4.2 is vulnerable:
sox -- memory corruption vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2014-8108
CVE: CVE-2014-3580
WWW: https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2015-0251
CVE: CVE-2015-0248
CVE: CVE-2015-0202
WWW: https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- multiple vulnerabilities
CVE: CVE-2015-3187
CVE: CVE-2015-3184
WWW: https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html

firefox-39.0,1 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4495
WWW: https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4477
CVE: CVE-2015-4475
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

5 problem(s) in the installed packages found.

-- 
Mason Loring Bliss             mason at blisses.org            Ewige Blumenkraft!
(if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene I

More information about the freebsd-security mailing list