Date: Wed, 27 May 2015 15:03:38 -0700 From: "Roger Marquis" <marquis@roble.com> To: "Roger Marquis" <marquis@roble.com> Cc: "Mark Felder" <feld@freebsd.org>, freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) In-Reply-To: <alpine.BSF.2.11.1505271015040.1509@eboyr.pbz> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <alpine.BSF.2.11.1505271015040.1509@eboyr.pbz>
| previous in thread | raw e-mail | index | archive | help
> Mark Felder wrote: >> Who is "ports-secteam"? > > It was Xin Li who alerted me to the ports-secteam@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (secteam@freebsd.org) address noted on > <https://www.freebsd.org/security/>. Also have to thank Remko Lodder for pointing out the ports-secteam@ address. Should also note that while the ports-secteam@ is not mentioned in <freebsd.org/security> or various other places where it probably should be (like the Types of Problem Reports page </doc/en_US.ISO8859-1/articles/pr-guidelines/pr-types.html>) it is noted in the Port Specific FAQ </doc/ en_US.ISO8859-1/articles/pr-guidelines/pr-types.html> and on the port mainters' page </ports/ports-mgmt.html>. Roger > >> There has been no Call For Help that I've ever seen. If people are needed >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. > > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: > > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review nor > returned to the sender with a note regarding the correct destination > address, > > * the freebsd.org/security web page is not correct and not being > updated, > > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, > > * nobody @freebsd.org appears to be following CVE announcements and the > maintainers of several high profile ports are also not following it or > even their application's -announce list, > > * there appears to be no automated process to alert vuln.xml maintainers > (ports-secteam@) of potential new port vulnerabilities, > > * offers of help to secteam@ and ports-secteam@ are neither replied to > nor acted upon (except for Xin Li's request, thanks Xin!), > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are secure. > > This is a MAJOR CHANGE from just a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself. > > IMO, > Roger Marquis >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>