Quarterly packages and security updates...
Mark Felder
feld at FreeBSD.org
Fri Aug 14 15:27:45 UTC 2015
On Thu, Aug 13, 2015, at 15:20, Mason Loring Bliss wrote:
> A recently quarterly report:
>
> https://www.freebsd.org/news/status/report-2015-04-2015-06.html
>
> and last week's BSD Now episode both hint that quarterly packages will be
> the
> default for 10.2. I just looked, and sure enough:
>
> https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup
>
> So, my issue here is that I run quarterly branches, and they are awful in
> terms of security updates. With FreeBSD 10.2 imminent, are we expecting
> users
> to install vulnerable versions of things like Firefox right off the bat,
> and
> then wait for whatever fixes exist at the time the next quarterly branch
> is
> cut?
>
You should not see vulnerable packages in the quarterly branch unless
there is no public fix available. If you come across this type of
situation where it is fixed in HEAD but not in the quarterly branch
please email the maintainer and ports-secteam@ ASAP.
> A pkg audit against an up-to-date package set is pretty disappointing:
>
> /usr/ports# pkg audit -F
> vulnxml file up-to-date
> libvpx-1.4.0 is vulnerable:
> libvpx -- multiple buffer overflows
> CVE: CVE-2015-4486
> CVE: CVE-2015-4485
> WWW:
> https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html
>
> libxul-38.1.0 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4493
> CVE: CVE-2015-4492
> CVE: CVE-2015-4491
> CVE: CVE-2015-4490
> CVE: CVE-2015-4489
> CVE: CVE-2015-4488
> CVE: CVE-2015-4487
> CVE: CVE-2015-4484
> CVE: CVE-2015-4483
> CVE: CVE-2015-4482
> CVE: CVE-2015-4481
> CVE: CVE-2015-4480
> CVE: CVE-2015-4479
> CVE: CVE-2015-4478
> CVE: CVE-2015-4474
> CVE: CVE-2015-4473
> WWW:
> https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html
>
This was handled here:
https://svnweb.freebsd.org/ports?view=revision&revision=394030
> sox-14.4.2 is vulnerable:
> sox -- memory corruption vulnerabilities
> WWW:
> https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html
>
Sox has no public fix yet
> subversion-1.8.10_3 is vulnerable:
> subversion -- DoS vulnerabilities
> CVE: CVE-2014-8108
> CVE: CVE-2014-3580
> WWW:
> https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html
>
> subversion-1.8.10_3 is vulnerable:
> subversion -- DoS vulnerabilities
> CVE: CVE-2015-0251
> CVE: CVE-2015-0248
> CVE: CVE-2015-0202
> WWW:
> https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html
>
> subversion-1.8.10_3 is vulnerable:
> subversion -- multiple vulnerabilities
> CVE: CVE-2015-3187
> CVE: CVE-2015-3184
> WWW:
> https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html
>
I can't speak to subversion at the moment
> firefox-39.0,1 is vulnerable:
> libvpx -- multiple buffer overflows
> CVE: CVE-2015-4486
> CVE: CVE-2015-4485
> WWW:
> https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html
>
> firefox-39.0,1 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4495
> WWW:
> https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html
>
> firefox-39.0,1 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4493
> CVE: CVE-2015-4492
> CVE: CVE-2015-4491
> CVE: CVE-2015-4490
> CVE: CVE-2015-4489
> CVE: CVE-2015-4488
> CVE: CVE-2015-4487
> CVE: CVE-2015-4484
> CVE: CVE-2015-4483
> CVE: CVE-2015-4482
> CVE: CVE-2015-4481
> CVE: CVE-2015-4480
> CVE: CVE-2015-4479
> CVE: CVE-2015-4478
> CVE: CVE-2015-4477
> CVE: CVE-2015-4475
> CVE: CVE-2015-4474
> CVE: CVE-2015-4473
> WWW:
> https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html
>
Quarterly branch has 40.0_4,1 which I linked above (r394030), so this
does not apply either.
Just look at the package mirror:
http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/
* firefox-40.0_4,1.txz
* subversion-1.8.13_2.txz
* libxul-38.2.0_2.txz
The packages are there, so I don't understand how you observe these
packages to still be vulnerable.
In short: DON'T PANIC. The ports-secteam is dedicated to making sure the
Quarterly branches are getting constant care and feeding. There has been
a lot of changes in the past couple months -- just look at the increase
of vuxml entries being fed in.
Keep in mind that the less churn the quarterly branches have means the
packages can build faster. I can't make any promises and I'm not
involved in the package building architecture, but I expect you'll see
quarterly branches get ports/packages built and distributed to the
mirrors faster simply because it's less work to do so.
More information about the freebsd-security
mailing list