From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:26:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 357C4F5B for ; Mon, 18 May 2015 19:26:20 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 08CDF1867 for ; Mon, 18 May 2015 19:26:19 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id EEEB6210B0 for ; Mon, 18 May 2015 15:26:18 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Mon, 18 May 2015 15:26:18 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=9VtwSW7SzbnrVHn B56VIuKCRg/U=; b=mqtAz9itsyLLMpHl8gnTvhNwYOrwlo6mPzLkcEuwiRWsSu8 9H+MpkUteqaM1d1Z23+S3UOO0/ZP+fhA0Z3DdH2kFlod4gh7W/K7EMKrLNWqbImX iLtXicANNMj2SZga1dUEE/WGlQYpZpKkQ207/izH83NbVk7AJ3y6uls5BuHQ= Received: by web3.nyi.internal (Postfix, from userid 99) id C8E8210BF32; Mon, 18 May 2015 15:26:18 -0400 (EDT) Message-Id: <1431977178.2897923.271980105.0D554040@webmail.messagingengine.com> X-Sasl-Enc: tIpaL9Z1OVKJu1SQLBGV/ebK1eEXdzVI2yGlT0bzC5f9 1431977178 From: Mark Felder To: "Sevan / Venture37" Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: References: <20150517210300.45FF67B8@hub.freebsd.org> <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> Subject: Re: pkg audit / vuln.xml failures Date: Mon, 18 May 2015 14:26:18 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:26:20 -0000 On Mon, May 18, 2015, at 14:01, Sevan / Venture37 wrote: > On 18 May 2015 at 19:06, Mark Felder wrote: > > > > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > >> Does anyone know what's going on with vuln.xml updates? Over the last > >> few weeks and months CVEs and application mailing lists have announced > >> vulnerabilities for several ports that in some cases only showed up in > >> vuln.xml after several days and in other cases are still not listed > >> (despite email to the security team). > >> > >> Is there a URL outlining the policies and procedures of vuln.xml > >> maintenance? > >> > > > > I am also interested. I know there is a desire to leverage CPE in the > > future, but I've seen CPE entries take weeks to show up. Our vuln.xml > > maintenance has always been pretty solid. Is there a lack of manpower > > right now? Are there notices/reports not being processed? > > > > How can we help? > > Bug reports with notice of new additions just to give a heads up at the > least. > I was just thinking it might be nice when you're committing a change to a port to fix a CVE if there was a tag you can drop in the commit log to tell ports-security if there is a need for an entry to vuln.xml. At least those without experience editing vuln.xml can more easily have someone else assist them with getting it added.