Date: Wed, 27 May 2015 10:40:28 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) In-Reply-To: <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com>
| previous in thread | raw e-mail | index | archive | help
>> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> <ports-secteam@FreeBSD.org> as quickly as possible. They are whoefully >> understaffed and need our help. Mark Felder wrote: > Who is "ports-secteam"? It was Xin Li who alerted me to the ports-secteam@freebsd.org address i.e., as being distinct from the "FreeBSD Security Team" (secteam@freebsd.org) address noted on <https://www.freebsd.org/security/>. > There has been no Call For Help that I've ever seen. If people are needed > to process these CVEs so they are entered into VUXML, sign me up to > ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>