From owner-freebsd-security@freebsd.org Tue Apr 13 09:12:16 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C0015D8CD3 for ; Tue, 13 Apr 2021 09:12:16 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FKKcb3qvRz4TnB for ; Tue, 13 Apr 2021 09:12:15 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 47DAE28416; Tue, 13 Apr 2021 11:12:07 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E21C72840C; Tue, 13 Apr 2021 11:12:05 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml To: Gordon Tetlow Cc: Gian Piero Carrubba , freebsd-security@freebsd.org References: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <9cb63bdb-9d71-88cb-7a6e-1dcd25609e8a@quip.cz> Date: Tue, 13 Apr 2021 11:12:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4FKKcb3qvRz4TnB X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=8X@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=8X@elsa.codelab.cz X-Spamd-Result: default: False [0.71 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.49)[-0.494]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=8X@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from]; TAGGED_FROM(0.00)[v=JK=quip.cz=000.fbsd]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=8X@elsa.codelab.cz]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; AUTH_NA(1.00)[]; DMARC_NA(0.00)[quip.cz]; SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2021 09:12:16 -0000 On 13/04/2021 06:03, Gordon Tetlow wrote: > >> On Apr 12, 2021, at 03:21, Miroslav Lachman <000.fbsd@quip.cz> wrote: >> >> On 11/04/2021 21:49, Gian Piero Carrubba wrote: >>> * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: >>>>> On 11/04/2021 21:21, Gian Piero Carrubba wrote: >>>>>> CCing ports-secteam@ as it seems a more appropriate recipient. >>>> >>>> Vulnerabilities in base should be handled by core secteam, not ports secteam. >>> The maintainer address for vuxml is ports-secteam@, so my impression is that entries in vuxml, regardless if they affect base or ports, are managed by them. Am I wrong? >> >> Because there are entries mainly for ports and vuxml is port too. But the responsible side for vulnerabilities in base is Security Officer Team. They are publishing SAs, they should create and submit entries to vuxml. They are almost always lacking behind, sometimes for months. I tried created patches with entries in the past because I am the author of base-audit script and maintainer of the port but then it was waiting for a long time to have it confirmed by Security Officer Team. >> >> I fought with this many times. > > Hi there! > > Secteam has been pretty faithfully putting base issues into vuxml for the past year at least, thanks to the tireless work by Philip. The current issues were committed to vuxml 6 days ago. Apparently, the backend that serves the vuxml for clients hasn’t been updated for the ports git transition. There is a pr for that already and hopefully it will be sorted soon. Good to hear that. I hope it will be fixed soon. Kind regards Miroslav Lachman