From owner-freebsd-security@freebsd.org  Thu Aug 13 20:28:38 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47D189B80E2
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu, 13 Aug 2015 20:28:38 +0000 (UTC)
 (envelope-from mason@blisses.org)
Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2F50DD0E
 for <freebsd-security@freebsd.org>; Thu, 13 Aug 2015 20:28:37 +0000 (UTC)
 (envelope-from mason@blisses.org)
Received: from blisses.org (cocytus.blisses.org [23.25.209.73])
 by phlegethon.blisses.org (Postfix) with ESMTPSA id A47601491CA;
 Thu, 13 Aug 2015 16:20:09 -0400 (EDT)
Date: Thu, 13 Aug 2015 16:20:08 -0400
From: Mason Loring Bliss <mason@blisses.org>
To: freebsd-security@freebsd.org
Cc: info@freebsdfoundation.org
Subject: Quarterly packages and security updates...
Message-ID: <20150813202007.GC4093@blisses.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 20:28:38 -0000

A recently quarterly report:

    https://www.freebsd.org/news/status/report-2015-04-2015-06.html

and last week's BSD Now episode both hint that quarterly packages will be the
default for 10.2. I just looked, and sure enough:

    https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup

So, my issue here is that I run quarterly branches, and they are awful in
terms of security updates. With FreeBSD 10.2 imminent, are we expecting users
to install vulnerable versions of things like Firefox right off the bat, and
then wait for whatever fixes exist at the time the next quarterly branch is
cut?

A pkg audit against an up-to-date package set is pretty disappointing:

/usr/ports# pkg audit -F
vulnxml file up-to-date
libvpx-1.4.0 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

libxul-38.1.0 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

sox-14.4.2 is vulnerable:
sox -- memory corruption vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2014-8108
CVE: CVE-2014-3580
WWW: https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2015-0251
CVE: CVE-2015-0248
CVE: CVE-2015-0202
WWW: https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- multiple vulnerabilities
CVE: CVE-2015-3187
CVE: CVE-2015-3184
WWW: https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html

firefox-39.0,1 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4495
WWW: https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4477
CVE: CVE-2015-4475
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

5 problem(s) in the installed packages found.

-- 
Mason Loring Bliss             mason@blisses.org            Ewige Blumenkraft!
(if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene I