From owner-freebsd-security@FreeBSD.ORG  Sun May 24 16:01:21 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E2F63D50;
 Sun, 24 May 2015 16:01:21 +0000 (UTC)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com
 [IPv6:2607:f8b0:4001:c05::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A98EC1165;
 Sun, 24 May 2015 16:01:21 +0000 (UTC)
Received: by igbpi8 with SMTP id pi8so21870056igb.1;
 Sun, 24 May 2015 09:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=hlbLsC6g4cli5n56lj/n18NMwfJAhqayn1Sa02SiCAA=;
 b=bNy8c1WOY0gcMNHL9zgLAOC4BQ7ezi2IiOY57XI+/Pye8pMm/fkegyF0jThGdaJyqi
 ZwJdzp0/i54Rg++0yeVepLwq/OYdsm3eB/JHzdr907hHFGlpKrthV33D++laaul6R3Mn
 zwQiqU72Fh0jnFPH7PnVMsCHiD76LuhLrKnJdc1y3UptZ3uvGYTZdBme55IWMCW0R1zE
 B8FgRyFDNVykCwZZTbSVOCDGFTKTRxOVHydvwRmttowo2g8EbfT48Em3lyAjCdvbvqKn
 Ja/AlcJj5fzb45mIiYdRcXS2LqJEWjtWqPtSLH98IKJ6xtOOzdDZSR3i3q1+jiBgv7qy
 VEdw==
MIME-Version: 1.0
X-Received: by 10.50.79.167 with SMTP id k7mr18200187igx.32.1432483280902;
 Sun, 24 May 2015 09:01:20 -0700 (PDT)
Sender: kob6558@gmail.com
Received: by 10.107.174.22 with HTTP; Sun, 24 May 2015 09:01:20 -0700 (PDT)
In-Reply-To: <55618388.7000504@delphij.net>
References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz>
 <20150523153031.A1A07357@hub.freebsd.org>
 <CABW2x9oPxhzrNmRd8qmVkw13F9zwqQpMGV-UqxJ0TJgiZF6Zyw@mail.gmail.com>
 <55618388.7000504@delphij.net>
Date: Sun, 24 May 2015 09:01:20 -0700
X-Google-Sender-Auth: 7jjLSPZgyXxUxWN3H7OK4NzQt9o
Message-ID: <CAN6yY1s5es46UeX49voLg-i02rA6bx0fnUo_injbJFZypfKK0A@mail.gmail.com>
Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo)
From: Kevin Oberman <rkoberman@gmail.com>
To: Xin Li <delphij@delphij.net>
Cc: Jason Unovitch <jason.unovitch@gmail.com>, ports-secteam@freebsd.org, 
 freebsd-security@freebsd.org, FreeBSD Ports ML <freebsd-ports@freebsd.org>,
 xmj@freebsd.org, pi@freebsd.org
X-Mailman-Approved-At: Sun, 24 May 2015 16:48:40 +0000
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2015 16:01:22 -0000

On Sun, May 24, 2015 at 12:53 AM, Xin Li <delphij@delphij.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> On 5/23/15 09:14, Jason Unovitch wrote:
> > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis <marquis@roble.com>
> > wrote:
> >> If you find a vulnerability such as a new CVE or mailing list
> >> announcement please send it to the port maintainer and
> >> <ports-secteam@FreeBSD.org> as quickly as possible.  They are
> >> whoefully understaffed and need our help.  Though freebsd.org
> >> indicates that security alerts should be sent to
> >> <secteam@FreeBSD.org> this is incorrect.  If the vulnerability is
> >> in a port or package send an alert to ports-secteam@ and NOT
> >> secteam@ as the secteam will generally not reply to your email or
> >> forward the alerts to ports-secteam.
> >>
> >> Roger
>

Can our bugzilla have a button or something similar to tag bugs with CVE
entries and adding ports-secteam to the cc list? Better would be a scan of
bug submissions for the string "CVE-". (I have never looked at bugzilla
other than to use it to search or submit bugs, so have no idea if this is
feasible.)

I know that this would generate false positives, but it appears to me that
most all such could be dismissed very quickly and would be better than
having serious security issues lost in the heap of bug reports.

I know that when I opened a PR (pre-bugzilla) for a significant security
issue in a popular port (ImageMagick) a few years ago, even though I marked
it as "critical", it was almost 2 weeks before the port was updated,
probably because the maintainer was just routinely updating the port as the
commit did not reference the vulnerability, at all. It was a rather gaping
hole, too. The PR was eventually closed as very stale, as it should have
been by then.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com