Date: Sun, 24 May 2015 09:01:20 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Xin Li <delphij@delphij.net> Cc: Jason Unovitch <jason.unovitch@gmail.com>, ports-secteam@freebsd.org, freebsd-security@freebsd.org, FreeBSD Ports ML <freebsd-ports@freebsd.org>, xmj@freebsd.org, pi@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CAN6yY1s5es46UeX49voLg-i02rA6bx0fnUo_injbJFZypfKK0A@mail.gmail.com> In-Reply-To: <55618388.7000504@delphij.net> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153031.A1A07357@hub.freebsd.org> <CABW2x9oPxhzrNmRd8qmVkw13F9zwqQpMGV-UqxJ0TJgiZF6Zyw@mail.gmail.com> <55618388.7000504@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 24, 2015 at 12:53 AM, Xin Li <delphij@delphij.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > On 5/23/15 09:14, Jason Unovitch wrote: > > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis <marquis@roble.com> > > wrote: > >> If you find a vulnerability such as a new CVE or mailing list > >> announcement please send it to the port maintainer and > >> <ports-secteam@FreeBSD.org> as quickly as possible. They are > >> whoefully understaffed and need our help. Though freebsd.org > >> indicates that security alerts should be sent to > >> <secteam@FreeBSD.org> this is incorrect. If the vulnerability is > >> in a port or package send an alert to ports-secteam@ and NOT > >> secteam@ as the secteam will generally not reply to your email or > >> forward the alerts to ports-secteam. > >> > >> Roger > Can our bugzilla have a button or something similar to tag bugs with CVE entries and adding ports-secteam to the cc list? Better would be a scan of bug submissions for the string "CVE-". (I have never looked at bugzilla other than to use it to search or submit bugs, so have no idea if this is feasible.) I know that this would generate false positives, but it appears to me that most all such could be dismissed very quickly and would be better than having serious security issues lost in the heap of bug reports. I know that when I opened a PR (pre-bugzilla) for a significant security issue in a popular port (ImageMagick) a few years ago, even though I marked it as "critical", it was almost 2 weeks before the port was updated, probably because the maintainer was just routinely updating the port as the commit did not reference the vulnerability, at all. It was a rather gaping hole, too. The PR was eventually closed as very stale, as it should have been by then. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1s5es46UeX49voLg-i02rA6bx0fnUo_injbJFZypfKK0A>