From owner-freebsd-ports@FreeBSD.ORG Wed May 27 19:58:17 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3191B9 for ; Wed, 27 May 2015 19:58:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6C53343 for ; Wed, 27 May 2015 19:58:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A24EC2041A for ; Wed, 27 May 2015 15:58:10 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Wed, 27 May 2015 15:58:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=aex+/oOBU8JgCSi Y6WVFercymQ8=; b=NOpki8Fi7TxFwT+5RU0c/k0XcdjEuyNzcLF0YdF1SOkaW23 /h1f0/hTagdbYzJpEGbNWBlpCj2cktFl3m6U3kBW4XRhE7liiI0fCPRAJB3XBcp3 9dHewf86diks+OE0a2l/m2S7D9OmAw2F6WZFegGA4idgRyorogKsGZlkY2UI= Received: by web3.nyi.internal (Postfix, from userid 99) id 7EC6910C782; Wed, 27 May 2015 15:58:10 -0400 (EDT) Message-Id: <1432756690.2290224.279775121.3E052535@webmail.messagingengine.com> X-Sasl-Enc: u8qC4ow8xSS9zyo4uj5FzkxnXelqjp6Zqqq46+/oj9IW 1432756690 From: Mark Felder To: Roger Marquis Cc: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-073992ec Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Date: Wed, 27 May 2015 14:58:10 -0500 In-Reply-To: References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 19:58:18 -0000 On Wed, May 27, 2015, at 12:40, Roger Marquis wrote: > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are > secure. > Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? I don't believe either one provides such a thing equivalent to pkgaudit out of the box. On Yum based distros you have to "yum install yum-security" and then you can run "yum updateinfo list sec" or "yum list-sec". Considering the number of failed attempts at backporting patches that I've seen I wouldn't consider this my only safety blanket. So in that case there's a tool that may solve your specific concern in a trivial way, and that's great. But that's not the end of the story. That command won't list vulnerabilities until they have a patch released. Let's look at CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-0209 Release date was March 23rd. Here's the commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a Authored on February 9th, then embargoed it would seem. It was publicly committed to git on February 25th. Redhat has a bug on this, opened February 26th: https://bugzilla.redhat.com/show_bug.cgi?id=1196737 But still, it wasn't addressed until March 23rd! That's quite a while to have vulnerable systems that aren't patched and not showing results in "yum updateinfo list sec". At least we have the capability to update vuxml and notify people before a patch is ready or the packages are built and distributed to the package mirrors so they can take any required remediation steps they require. Even so, this is just a tool to help admins. It's the admin's responsibility to know what is on their systems and to sign up to relevant security announcement mailing lists. Sure, you don't want to do that for everything installed on your OS, but at least any externally facing services you are concerned about. And let's not forget all of the missed CVEs that get late assignments and then finally trickle down to RH/Debian due to the fact that they don't have a rolling-release packaging strategy. Search for posts by Kurt Seifried on ossec mailing list if you're curious. Additionally, utilizing CPE data as a source of known vulnerabilities is not a perfect solution either because I've seen CVEs take weeks to hit the database. The grass is always greener... or is it? Let's just concentrate on how to improve things here and not worry about how they're handling security issues because they have their own unique problems to solve.