Date: Mon, 24 Oct 2016 18:23:42 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Kevin Oberman <rkoberman@gmail.com> Cc: Pavel Timofeev <timp87@gmail.com>, ports-list freebsd <freebsd-ports@freebsd.org> Subject: Re: Vulnerabilities not included into FreeBSD vuxml In-Reply-To: <CAN6yY1stUEukDQf0wr%2BWAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com> References: <CAAoTqfvPAnxr5px-QM2zModwYMSU=fHiBC=njSYmgZ41KPSrYQ@mail.gmail.com> <CAN6yY1stUEukDQf0wr%2BWAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com>
| previous in thread | raw e-mail | index | archive | help
>> MySQL - http://www.oracle.com/technetwork/security-advisory/ >> cpuoct2016-2881722.html#AppendixMSQL >> VirtualBox - http://www.oracle.com/technetwork/security-advisory/ >> cpuoct2016-2881722.html#AppendixOVIR >> > > I don't use My SQL, but the list does not include any CVEs that are > applicable to the versions currently in ports. Ot at least MySQL 5.5. and > VirtualBox. (Packages lag a bit and I imagine that 5.5.53 (MySQL) and 5.1.8 > (VB) may not be available in all repos for a couple of days.) Many of us see this as a major weakness in the FreeBSD security model. The fact that a port or package was deprecated after being installed is simply not a good reason for not listing it in the vulnxml. I say this from experience have had to inform more than one FreeBSD site that they were hosting known insecure software when they had previously trusted 'pkg audit'. Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>