Date: Sat, 23 May 2015 08:30:24 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: New pkg audit / vuln.xml failures (php55, unzoo) In-Reply-To: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz>
| previous in thread | raw e-mail | index | archive | help
FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and <ports-secteam@FreeBSD.org> as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to <secteam@FreeBSD.org> this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in other cases are still not listed > (despite email to the security team).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>