From owner-freebsd-ports@FreeBSD.ORG Thu May 28 16:47:28 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E2191D1 for ; Thu, 28 May 2015 16:47:28 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7A308B73 for ; Thu, 28 May 2015 16:47:28 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t4SGlSxa073416 for ; Thu, 28 May 2015 16:47:28 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t4SGlScn073415 for freebsd-ports@freebsd.org; Thu, 28 May 2015 16:47:28 GMT (envelope-from bdrewery) Received: (qmail 96321 invoked from network); 28 May 2015 11:47:26 -0500 Received: from unknown (HELO ?10.10.1.139?) (freebsd@shatow.net@10.10.1.139) by sweb.xzibition.com with ESMTPA; 28 May 2015 11:47:26 -0500 Message-ID: <556746A4.4090208@FreeBSD.org> Date: Thu, 28 May 2015 11:47:32 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Roger Marquis , Mark Felder CC: freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> In-Reply-To: <20150527174037.EF719B11@hub.freebsd.org> OpenPGP: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AG5xDRIWFfwuOnUj7eEiIOR0QxhNS1Qh4" X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2015 16:47:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --AG5xDRIWFfwuOnUj7eEiIOR0QxhNS1Qh4 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/27/2015 12:40 PM, Roger Marquis wrote: >>> If you find a vulnerability such as a new CVE or mailing list >>> announcement please send it to the port maintainer and >>> as quickly as possible. They are whoeful= ly >>> understaffed and need our help. > Mark Felder wrote: >> Who is "ports-secteam"? >=20 > It was Xin Li who alerted me to the ports-secteam@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (secteam@freebsd.org) address noted on > . >=20 >> There has been no Call For Help that I've ever seen. If people are nee= ded >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. >=20 > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: >=20 > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review no= r > returned to the sender with a note regarding the correct destination > address, >=20 > * the freebsd.org/security web page is not correct and not being > updated, >=20 > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, >=20 > * nobody @freebsd.org appears to be following CVE announcements and th= e > maintainers of several high profile ports are also not following it or= > even their application's -announce list, >=20 > * there appears to be no automated process to alert vuln.xml maintaine= rs > (ports-secteam@) of potential new port vulnerabilities, >=20 > * offers of help to secteam@ and ports-secteam@ are neither replied to= > nor acted upon (except for Xin Li's request, thanks Xin!), >=20 > * perhaps as a result the vuln.xml database is no longer reliable, and= > by extension, >=20 > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse an= d > OpenBSD server operators) have no assurance that their systems are sec= ure. >=20 > This is a MAJOR CHANGE from just a couple of years ago which calls for = an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. >=20 > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself.= >=20 > IMO, > Roger Marquis Personally I agree on all points. Our ports security regime is not working. As someone who has personally jumped on updating ports during security crisis, I have found it difficult to get others engaged. I would usually implore others to just fix it and once it was not done after a period of time I would do it. I don't have time to react to every security incident. This php one came up in the week and I almost "just fixed it", but doing those things burns me out as I have my own priorities. I'm not on ports-secteam, but I did ask to join last year and had no response. The request was even about recruiting more help. I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. --=20 Regards, Bryan Drewery --AG5xDRIWFfwuOnUj7eEiIOR0QxhNS1Qh4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVZ0akAAoJEDXXcbtuRpfP4DkIANeNvZg20XIlGEiCM9KKAR9b mlSo6TNSRul2WpVfR0AOjFmcoBTzO4pQWna3+8miIRtcCNnFDG3oXmC/xWaL+6ZG xMCQoU43pmnAey2tobTQEgrDkhDj1lvqwrD0ZnucSmBWt0T6gRdm/2vPNutuYq3p Kh4BStH9WG7M4ONbiwVdFxlZDW4IZnFF3VPoH9IqVWOPa5w7TvSCqUSblVkySHQ7 1hgJYCw9amvwVJ3adQdZfAUy7hktmPGm2VuNEjIVD8Y3KvlDJCWY00ZF1IdrLx2t JVAiLLR86v7SLF2nUCiVZCRrMxsFWmBGPycjKkSox2Jtb9vf+AH4T61cxQBnQXA= =LCgq -----END PGP SIGNATURE----- --AG5xDRIWFfwuOnUj7eEiIOR0QxhNS1Qh4--