Date: Wed, 27 May 2015 14:58:10 -0500 From: Mark Felder <feld@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <1432756690.2290224.279775121.3E052535@webmail.messagingengine.com> In-Reply-To: <cmu-lmtpd-575818-1432748437-6@sloti22t01> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <cmu-lmtpd-575818-1432748437-6@sloti22t01>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 27, 2015, at 12:40, Roger Marquis wrote: > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are > secure. > Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? I don't believe either one provides such a thing equivalent to pkgaudit out of the box. On Yum based distros you have to "yum install yum-security" and then you can run "yum updateinfo list sec" or "yum list-sec". Considering the number of failed attempts at backporting patches that I've seen I wouldn't consider this my only safety blanket. So in that case there's a tool that may solve your specific concern in a trivial way, and that's great. But that's not the end of the story. That command won't list vulnerabilities until they have a patch released. Let's look at CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-0209 Release date was March 23rd. Here's the commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a Authored on February 9th, then embargoed it would seem. It was publicly committed to git on February 25th. Redhat has a bug on this, opened February 26th: https://bugzilla.redhat.com/show_bug.cgi?id=1196737 But still, it wasn't addressed until March 23rd! That's quite a while to have vulnerable systems that aren't patched and not showing results in "yum updateinfo list sec". At least we have the capability to update vuxml and notify people before a patch is ready or the packages are built and distributed to the package mirrors so they can take any required remediation steps they require. Even so, this is just a tool to help admins. It's the admin's responsibility to know what is on their systems and to sign up to relevant security announcement mailing lists. Sure, you don't want to do that for everything installed on your OS, but at least any externally facing services you are concerned about. And let's not forget all of the missed CVEs that get late assignments and then finally trickle down to RH/Debian due to the fact that they don't have a rolling-release packaging strategy. Search for posts by Kurt Seifried on ossec mailing list if you're curious. Additionally, utilizing CPE data as a source of known vulnerabilities is not a perfect solution either because I've seen CVEs take weeks to hit the database. The grass is always greener... or is it? Let's just concentrate on how to improve things here and not worry about how they're handling security issues because they have their own unique problems to solve.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1432756690.2290224.279775121.3E052535>