From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:01:32 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DC433A0; Mon, 18 May 2015 19:01:32 +0000 (UTC) Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19E7D1482; Mon, 18 May 2015 19:01:32 +0000 (UTC) Received: by wguv19 with SMTP id v19so138217732wgu.1; Mon, 18 May 2015 12:01:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2IGuXE/DNzYCBII8WeX1tIA2OjD82OXF6oyVvk8W4YY=; b=DIDi55FbbhutOF1nVQhHUin02LKdX9lF7vQm8xbFoIdc34YPcUlg0vkgd85+ZtakPJ mvW3Gza4jafdUTHvsnugCeXFUib43Qj0lHEscu7BfTJY7pHwnaEzyz4WTE95Pnhs7mDz bA7RASjqr1l1uEvL+GUUfWHVQZhLkmRzzgwRE7jGdOY0kUa4foRU/OzOsdTqqkp69Sya g+nMusWOfYLruJ2X3LPaTWs1Jczl3NVuRFcM2JK/fCzhMMCO4sQWkBOgiMsmlfMHo9q1 TcNXwvTyR5gIPQQT+kj4kQitruNa+YJLIXyNWIaLFt+Zxs28fyYbkGddo7sNQPBzgqd1 B80A== MIME-Version: 1.0 X-Received: by 10.180.206.211 with SMTP id lq19mr24744255wic.26.1431975690552; Mon, 18 May 2015 12:01:30 -0700 (PDT) Received: by 10.194.88.165 with HTTP; Mon, 18 May 2015 12:01:30 -0700 (PDT) In-Reply-To: <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> References: <20150517210300.45FF67B8@hub.freebsd.org> <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> Date: Mon, 18 May 2015 20:01:30 +0100 Message-ID: Subject: Re: pkg audit / vuln.xml failures From: "Sevan / Venture37" To: Mark Felder Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:01:32 -0000 On 18 May 2015 at 19:06, Mark Felder wrote: > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). >> >> Is there a URL outlining the policies and procedures of vuln.xml >> maintenance? >> > > I am also interested. I know there is a desire to leverage CPE in the > future, but I've seen CPE entries take weeks to show up. Our vuln.xml > maintenance has always been pretty solid. Is there a lack of manpower > right now? Are there notices/reports not being processed? > > How can we help? Bug reports with notice of new additions just to give a heads up at the least. Sevan / Venture37