From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 20:57:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 712808C7 for ; Fri, 11 Apr 2014 20:57:08 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 18F4E1C0E for ; Fri, 11 Apr 2014 20:57:07 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s3BKv1Yq094154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 11 Apr 2014 21:57:02 +0100 (BST) (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s3BKv1Yq094154 Authentication-Results: smtp.infracaninophile.co.uk/s3BKv1Yq094154; dkim=none reason="no signature"; dkim-adsp=none Message-ID: <5348571A.9060703@FreeBSD.org> Date: Fri, 11 Apr 2014 21:56:58 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Erik Trulsson , sbremal@hotmail.com Subject: Re: CVE-2014-0160? References: , , , <20140411163453.10305uc2u7ijvcst@webmail.uu.se> In-Reply-To: <20140411163453.10305uc2u7ijvcst@webmail.uu.se> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Fri, 11 Apr 2014 21:05:02 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 20:57:08 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/04/2014 15:34, Erik Trulsson wrote: > Quoting sbremal@hotmail.com: >=20 >> I receive daily email from the host which normally shows port audits >> and vulnerabilities. However, I did not sport anything related to >> CVE-2014-0160 in this email. I expected the same info comes in this >> email about the base system as well. >> >> How do you normally inform about recent vulnerability in the base >> system? (I believe newspaper and TV is not the best way...) >=20 > No, the port audit system does not cover base system vulnerabilities. >=20 > Security advisories regarding the base systems are supposed to be sent = by > e-mail to the following mailing lists: >=20 > FreeBSD-security-notifications@FreeBSD.org > FreeBSD-security@FreeBSD.org > FreeBSD-announce@FreeBSD.org >=20 > Personally I would recommend all FreeBSD users to subscribe to the > freebsd-announce list at least. portaudit is rapidly becoming obsolete. Today's alternative is pkg-audit= (8) One of the non obvious things about the switch from portaudit to pkg audit is that pkg audit uses the standard vuxml vulnerability database directly, whereas portaudit used it's own vulnerability data which was essentially a heavily trimmed extract from vuxml. The interesting thing about vuxml is that it is quite possible to write vulnerability entries for the base system. Eg. http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.htm= l This is applied inconsistently though. While there is an entry for OpenSSL Heartbleed, it doesn't contain any reference to the FreeBSD base system and the security advisories (at least, not at the time I was writing this...) It's also not a feature of pkg audit or any other tool I am aware of that it can warn about base system vulnerabilities. Such functionality would be very welcome though. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTSFccXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATAlgQAKlcZafxYGsjyzRbvnwniRgN WQuCeUYW8E2lgFrnQz3DnVaGWXxgEdCrk8+b09I4udd+4s33UqfLOw49RSq/RCI9 UTGpKowCtOFrbyvuHuiVfW1qoClmnDycbyESRWD0vJAQ1pOSnMxsht/tMJd3Fqm5 h6ESyGKWHwcfgJLyERnm88E5k3ISX8B7g9cqpAvjJv5STWJFyLXSWG0xJnav8B4J 07LVGiNnBhuTvt2w1yBPhgiReIj2eDI8XE5pREgtoBaZo0EzFspJCqwPdkkfhwtp EcQWQSRO2P2ubrv9k/Mv8CZK4SOZRmZcAp6KIsclWOidiSwjhdafUmzokbfAxdZA 0trjIkr0y1UNGkoIzpO1qWVMWZfkEGyhhMfqStFG/pXeD6D/3cn6DSP/darbJL13 jlFMpVK5ijZ+asHWFdargHNuTd//Utquo4pHtAP20i0s6uqMKpZXueDlTANThGOV jAb09QT6s5FWUelpBZaUbHuj76wnJtf82Uoz2ytK0xccMwktSxFSjjG+swsP7ef8 R5t0KraVZWCfBuwqKS7LYMjeQPP0nONBfgmvkzw9GesPnl1SGI4aWB/Fqctm8udt Q2SKYbt/Gma10GWPUdTgPw1emkYyfJMg78afeM4WaHxXXXjNfIiOcjdzw3LEgE1Y V1zgQyRjCH3ZZQDs/FSn =Buqo -----END PGP SIGNATURE----- --k68gKep2f1QRlfniUsvn4GvPW3PNsbqp1--