From owner-freebsd-ports@freebsd.org  Tue Oct 25 01:23:50 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF17BC1F9EA
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue, 25 Oct 2016 01:23:50 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C41A1A7C
 for <freebsd-ports@freebsd.org>; Tue, 25 Oct 2016 01:23:50 +0000 (UTC)
 (envelope-from marquis@roble.com)
Date: Mon, 24 Oct 2016 18:23:42 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Kevin Oberman <rkoberman@gmail.com>
cc: Pavel Timofeev <timp87@gmail.com>, 
 ports-list freebsd <freebsd-ports@freebsd.org>
Subject: Re: Vulnerabilities not included into FreeBSD vuxml
In-Reply-To: <CAN6yY1stUEukDQf0wr+WAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com>
References: <CAAoTqfvPAnxr5px-QM2zModwYMSU=fHiBC=njSYmgZ41KPSrYQ@mail.gmail.com>
 <CAN6yY1stUEukDQf0wr+WAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 01:23:50 -0000

>> MySQL - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixMSQL
>> VirtualBox - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixOVIR
>>
>
> I don't use My SQL, but the list does not include any CVEs that are
> applicable to the versions currently in ports. Ot at least MySQL 5.5. and
> VirtualBox. (Packages lag a bit and I imagine that 5.5.53 (MySQL) and 5.1.8
> (VB) may not be available in all repos for a couple of days.)

Many of us see this as a major weakness in the FreeBSD security model.
The fact that a port or package was deprecated after being installed is
simply not a good reason for not listing it in the vulnxml.  I say this
from experience have had to inform more than one FreeBSD site that they
were hosting known insecure software when they had previously trusted
'pkg audit'.

Roger Marquis