From owner-freebsd-security@FreeBSD.ORG  Sat May 23 15:30:26 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3DA32164;
 Sat, 23 May 2015 15:30:26 +0000 (UTC)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2F5431B47;
 Sat, 23 May 2015 15:30:25 +0000 (UTC)
Date: Sat, 23 May 2015 08:30:24 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org
Subject: New pkg audit / vuln.xml failures (php55, unzoo)
In-Reply-To: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz>
References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 15:30:26 -0000

FYI regarding these new and significant failures of FreeBSD security
policy and procedures.

PHP55 vulnerabilities announced over a week ago
<https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still
not been ported to lang/php55.  You can, however, edit the Makefile,
increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
deinstall reinstall clean' to secure a server without waiting for the
port to be updated.  Older versions of PHP may also have unpatched
vulnerabilities that are not noted in the vuln.xml database.

New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg
audit -F' or vuln.xml.  Run 'pkg remove unzoo zoo' at your earliest
convenience if you have these installed.

   HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
   depending on 'pkg audit' to report whether a server is secure it should
   be noted that this method is no longer reliable.

If you find a vulnerability such as a new CVE or mailing list
announcement please send it to the port maintainer and
<ports-secteam@FreeBSD.org> as quickly as possible.  They are whoefully
understaffed and need our help.  Though freebsd.org indicates that
security alerts should be sent to <secteam@FreeBSD.org> this is
incorrect.  If the vulnerability is in a port or package send an alert to
ports-secteam@ and NOT secteam@ as the secteam will generally not reply
to your email or forward the alerts to ports-secteam.

Roger

> Does anyone know what's going on with vuln.xml updates?  Over the last
> few weeks and months CVEs and application mailing lists have announced
> vulnerabilities for several ports that in some cases only showed up in
> vuln.xml after several days and in other cases are still not listed
> (despite email to the security team).