From owner-freebsd-security@freebsd.org  Mon Apr 12 10:21:41 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 164BB5CA260
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Mon, 12 Apr 2021 10:21:41 +0000 (UTC)
 (envelope-from SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FJlC825MLz3pC5
 for <freebsd-security@freebsd.org>; Mon, 12 Apr 2021 10:21:40 +0000 (UTC)
 (envelope-from SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 4AB1E28416;
 Mon, 12 Apr 2021 12:21:37 +0200 (CEST)
Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz
 [94.113.69.69])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id BEC712840C;
 Mon, 12 Apr 2021 12:21:35 +0200 (CEST)
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml
To: Gian Piero Carrubba <gpiero@rm-rf.it>, freebsd-security@freebsd.org
References: <20210406202258.1642E15C4A@freefall.freebsd.org>
 <20210406202303.3B6F715D1E@freefall.freebsd.org>
 <20210406202309.EECD015EA7@freefall.freebsd.org>
 <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it>
 <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it>
 <ab68d1d4-5ba3-3e94-b381-3b6d86516796@quip.cz>
 <20210411194932.t4a6dtjdvhynj2uf@robinhood.fdc.rm-rf.it>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <d7cee6e3-f209-3bdd-8df4-7429243d5fe1@quip.cz>
Date: Mon, 12 Apr 2021 12:21:34 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20210411194932.t4a6dtjdvhynj2uf@robinhood.fdc.rm-rf.it>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4FJlC825MLz3pC5
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of
 SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
 94.124.105.4) smtp.mailfrom=SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [0.21 / 15.00];
 FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[quip.cz];
 RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from];
 AUTH_NA(1.00)[];
 SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_HAM_SHORT(-0.99)[-0.994]; RCPT_COUNT_TWO(0.00)[2];
 NEURAL_SPAM_LONG(1.00)[1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_SPF_NA(0.00)[no SPF record];
 FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz];
 RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received];
 RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
 MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-security]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 10:21:41 -0000

On 11/04/2021 21:49, Gian Piero Carrubba wrote:
> * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman:
>> On 11/04/2021 21:21, Gian Piero Carrubba wrote:
>>> CCing ports-secteam@ as it seems a more appropriate recipient.
>>
>> Vulnerabilities in base should be handled by core secteam, not ports 
>> secteam.
> 
> The maintainer address for vuxml is ports-secteam@, so my impression is 
> that entries in vuxml, regardless if they affect base or ports, are 
> managed by them. Am I wrong?

Because there are entries mainly for ports and vuxml is port too. But 
the responsible side for vulnerabilities in base is Security Officer 
Team. They are publishing SAs, they should create and submit entries to 
vuxml. They are almost always lacking behind, sometimes for months. I 
tried created patches with entries in the past because I am the author 
of base-audit script and maintainer of the port but then it was waiting 
for a long time to have it confirmed by Security Officer Team.

I fought with this many times.

Responsibilities of the FreeBSD Ports Security Team
https://wiki.freebsd.org/ports-secteam

Kind regards
Miroslav Lachman