Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Apr 2014 21:56:58 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        Erik Trulsson <Erik.Trulsson.1013@student.uu.se>, sbremal@hotmail.com
Cc:        freebsd-security@freebsd.org
Subject:   Re: CVE-2014-0160?
Message-ID:  <5348571A.9060703@FreeBSD.org>
In-Reply-To: <20140411163453.10305uc2u7ijvcst@webmail.uu.se>
References:  <DUB126-W5BC501CB4B718B4504D74A9540@phx.gbl>, <alpine.DEB.2.00.1404111341450.13520@strudel.ki.iif.hu>, <DUB126-W864CD6C2BD872D72C58222A9540@phx.gbl>, <D0491050-C6C0-4124-966C-3153FB618532@icloud.com> <DUB126-W77A08013F5277DB2C69816A9540@phx.gbl> <20140411163453.10305uc2u7ijvcst@webmail.uu.se>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 11/04/2014 15:34, Erik Trulsson wrote:
> Quoting sbremal@hotmail.com:
>=20
>> I receive daily email from the host which normally shows port audits
>> and vulnerabilities. However, I did not sport anything related to
>> CVE-2014-0160 in this email. I expected the same info comes in this
>> email about the base system as well.
>>
>> How do you normally inform about recent vulnerability in the base
>> system? (I believe newspaper and TV is not the best way...)
>=20
> No, the port audit system does not cover base system vulnerabilities.
>=20
> Security advisories regarding the base systems are supposed to be sent =
by
> e-mail to the following mailing lists:
>=20
>     FreeBSD-security-notifications@FreeBSD.org
>     FreeBSD-security@FreeBSD.org
>     FreeBSD-announce@FreeBSD.org
>=20
> Personally I would recommend all FreeBSD users to subscribe to the
> freebsd-announce list at least.

portaudit is rapidly becoming obsolete.  Today's alternative is pkg-audit=
(8)

One of the non obvious things about the switch from portaudit to pkg
audit is that pkg audit uses the standard vuxml vulnerability database
directly, whereas portaudit used it's own vulnerability data which was
essentially a heavily trimmed extract from vuxml.

The interesting thing about vuxml is that it is quite possible to write
vulnerability entries for the base system.  Eg.

http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.htm=
l

This is applied inconsistently though.  While there is an entry for
OpenSSL Heartbleed, it doesn't contain any reference to the FreeBSD base
system and the security advisories (at least, not at the time I was
writing this...)

It's also not a feature of pkg audit or any other tool I am aware of
that it can warn about base system vulnerabilities.  Such functionality
would be very welcome though.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJTSFccXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATAlgQAKlcZafxYGsjyzRbvnwniRgN
WQuCeUYW8E2lgFrnQz3DnVaGWXxgEdCrk8+b09I4udd+4s33UqfLOw49RSq/RCI9
UTGpKowCtOFrbyvuHuiVfW1qoClmnDycbyESRWD0vJAQ1pOSnMxsht/tMJd3Fqm5
h6ESyGKWHwcfgJLyERnm88E5k3ISX8B7g9cqpAvjJv5STWJFyLXSWG0xJnav8B4J
07LVGiNnBhuTvt2w1yBPhgiReIj2eDI8XE5pREgtoBaZo0EzFspJCqwPdkkfhwtp
EcQWQSRO2P2ubrv9k/Mv8CZK4SOZRmZcAp6KIsclWOidiSwjhdafUmzokbfAxdZA
0trjIkr0y1UNGkoIzpO1qWVMWZfkEGyhhMfqStFG/pXeD6D/3cn6DSP/darbJL13
jlFMpVK5ijZ+asHWFdargHNuTd//Utquo4pHtAP20i0s6uqMKpZXueDlTANThGOV
jAb09QT6s5FWUelpBZaUbHuj76wnJtf82Uoz2ytK0xccMwktSxFSjjG+swsP7ef8
R5t0KraVZWCfBuwqKS7LYMjeQPP0nONBfgmvkzw9GesPnl1SGI4aWB/Fqctm8udt
Q2SKYbt/Gma10GWPUdTgPw1emkYyfJMg78afeM4WaHxXXXjNfIiOcjdzw3LEgE1Y
V1zgQyRjCH3ZZQDs/FSn
=Buqo
-----END PGP SIGNATURE-----

--k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5348571A.9060703>