From owner-freebsd-security@FreeBSD.ORG Mon May 18 18:06:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5CCF19CE for ; Mon, 18 May 2015 18:06:55 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 30F261CF8 for ; Mon, 18 May 2015 18:06:54 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 09DD5207F0 for ; Mon, 18 May 2015 14:06:54 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Mon, 18 May 2015 14:06:54 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=WK/J41YI2vnv90r s9WtJFjIYahY=; b=g5M7Y6kK1TENAM2cUB2gJX3fZhOi6h1REMM/MIFoJeQXdHz 22R0xFgyZ7LCtiYiCKUovGfsP+eKekqJeEP9S5Uezqp4gwOr4AdOCqFYirrf8KBS ShejdaWECIWri5kMO/Msc18pBEFM2wwCkkD7OuGVugJdUarNVXgrqzmPD7M0= Received: by web3.nyi.internal (Postfix, from userid 99) id CAC1510B791; Mon, 18 May 2015 14:06:53 -0400 (EDT) Message-Id: <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> X-Sasl-Enc: wNKI5wm5gLfG8L2xUujZn3czzh7a4XiXZJJkE1oF/QVt 1431972413 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: <20150517210300.45FF67B8@hub.freebsd.org> References: <20150517210300.45FF67B8@hub.freebsd.org> Subject: Re: pkg audit / vuln.xml failures Date: Mon, 18 May 2015 13:06:53 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 18:06:55 -0000 On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in other cases are still not listed > (despite email to the security team). > > Is there a URL outlining the policies and procedures of vuln.xml > maintenance? > I am also interested. I know there is a desire to leverage CPE in the future, but I've seen CPE entries take weeks to show up. Our vuln.xml maintenance has always been pretty solid. Is there a lack of manpower right now? Are there notices/reports not being processed? How can we help?