Date: Sat, 23 May 2015 20:28:32 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <E1590CCF-246E-4DC6-9E85-749003092813@FreeBSD.org> In-Reply-To: <20150523153030.CEA8C2DB@hub.freebsd.org> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153030.CEA8C2DB@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Please send these things to ports-secteam@FreeBSD.org so that they can have a look at these please. Thanks, Remko > On 23 May 2015, at 17:30, Roger Marquis <marquis@roble.com> wrote: > > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > <ports-secteam@FreeBSD.org> as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to <secteam@FreeBSD.org> this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVYMbRAAoJEKjD27JZ84ywBDAP/RycGa076N4u6pYxmAoPlgdz SelWR8q2kkQdAVmTOdSQwi4DRrsnBFg049yJkswt2dGxzKg5H9WfmF0g0HGGAfZG EbJxKdARglWyq/BEOYB239WRTDLrZrHb6AbluayajLpqKxHD8NK+rSoYyPfTZBQ+ FNbw8k3i/KrCg+zCZWPKJl3/367/ZQwZC0c2ZKt3k+9IFZxODQ3UxnBOlmXESsXR y50/47ahF/SaaExbB9pBKUDCD+zsogpoGclYzDkejKKj5e5NazOea9TWkEVA7uOd pnnw7oWz4LFnSYg6myb69TYfgdCpzd4U4XwllHn6YASRX9ojo+GMhTK936Oz5PYp 6my1tF7gQ/YYWH4G7lOjDDY/gxR4HBAq1cCVRgsHLnwnD0E3wEgZmVA2BAyAng9e 5d80KU9AZp4/GDLYrC8bT0FTMXn9Xj0y9xAzvQQ2p32C5b55PD/E8qZEMy2XtMiD oDuEcTGlhIhxjMsvG2WGC95V4wKOfPQi+3Y3UJSdWiUKJiTsHj5/vfdqWfw9sp6X KHfLJ38UkooZMjoqibOTQktRrn1nxuhyO0fGJ+0wwjWPq6KdPMLgN5JPos51tUDp QYzkgqLsF4vokKgguUTzlFfFdvI+D88Bws1Uit27/FStDIS7MF8i9mUFXBVFgIB4 /4n9TnRHasPBo1HQXok7 =Xxvi -----END PGP SIGNATURE----- --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1590CCF-246E-4DC6-9E85-749003092813>