Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Oct 2016 18:23:42 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        Kevin Oberman <rkoberman@gmail.com>
Cc:        Pavel Timofeev <timp87@gmail.com>,  ports-list freebsd <freebsd-ports@freebsd.org>
Subject:   Re: Vulnerabilities not included into FreeBSD vuxml
In-Reply-To: <CAN6yY1stUEukDQf0wr%2BWAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com>
References:  <CAAoTqfvPAnxr5px-QM2zModwYMSU=fHiBC=njSYmgZ41KPSrYQ@mail.gmail.com> <CAN6yY1stUEukDQf0wr%2BWAyOcXw2FuYJGtosnYqmy47ViRQnEag@mail.gmail.com>

| previous in thread | raw e-mail | index | archive | help
>> MySQL - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixMSQL
>> VirtualBox - http://www.oracle.com/technetwork/security-advisory/
>> cpuoct2016-2881722.html#AppendixOVIR
>>
>
> I don't use My SQL, but the list does not include any CVEs that are
> applicable to the versions currently in ports. Ot at least MySQL 5.5. and
> VirtualBox. (Packages lag a bit and I imagine that 5.5.53 (MySQL) and 5.1.8
> (VB) may not be available in all repos for a couple of days.)

Many of us see this as a major weakness in the FreeBSD security model.
The fact that a port or package was deprecated after being installed is
simply not a good reason for not listing it in the vulnxml.  I say this
from experience have had to inform more than one FreeBSD site that they
were hosting known insecure software when they had previously trusted
'pkg audit'.

Roger Marquis



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>