Date: Wed, 27 May 2015 14:34:05 -0500 From: Matthew Donovan <kitche@kitchetech.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-ports <freebsd-ports@freebsd.org>, Mark Felder <feld@freebsd.org> Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CABgom6eJzHSjgK32AcTEavL2uTG8c9Z6szD=xzggioBhs%2BzjGQ@mail.gmail.com> In-Reply-To: <20150527174038.9B78EB77@hub.freebsd.org> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174038.9B78EB77@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I found the ports security reporting without issues http://www.freebsd.org/security/reporting.html. Appears someone should read reporting page Instead of saying information is not correct. On May 27, 2015 12:40 PM, "Roger Marquis" <marquis@roble.com> wrote: > If you find a vulnerability such as a new CVE or mailing list >>> announcement please send it to the port maintainer and >>> <ports-secteam@FreeBSD.org> as quickly as possible. They are whoefully >>> understaffed and need our help. >>> >> Mark Felder wrote: > >> Who is "ports-secteam"? >> > > It was Xin Li who alerted me to the ports-secteam@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (secteam@freebsd.org) address noted on > <https://www.freebsd.org/security/>. > > There has been no Call For Help that I've ever seen. If people are needed >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. >> > > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: > > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review nor > returned to the sender with a note regarding the correct destination > address, > > * the freebsd.org/security web page is not correct and not being > updated, > > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, > > * nobody @freebsd.org appears to be following CVE announcements and the > maintainers of several high profile ports are also not following it or > even their application's -announce list, > > * there appears to be no automated process to alert vuln.xml maintainers > (ports-secteam@) of potential new port vulnerabilities, > > * offers of help to secteam@ and ports-secteam@ are neither replied to > nor acted upon (except for Xin Li's request, thanks Xin!), > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are secure. > > This is a MAJOR CHANGE from just a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself. > > IMO, > Roger Marquis > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABgom6eJzHSjgK32AcTEavL2uTG8c9Z6szD=xzggioBhs%2BzjGQ>