Date: Sat, 23 May 2015 17:55:00 +0200 From: Andreas Andersson <a.andersson.thn@gmail.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CANYZJQZj0212m02BO3%2Bx7Wob2Cn31KNkpNoGZd6f6WdqbYnd-g@mail.gmail.com> In-Reply-To: <20150523153029.F1BBE2AA@hub.freebsd.org> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.F1BBE2AA@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis <marquis@roble.com>: > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > <ports-secteam@FreeBSD.org> as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to <secteam@FreeBSD.org> this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > > Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). >> > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANYZJQZj0212m02BO3%2Bx7Wob2Cn31KNkpNoGZd6f6WdqbYnd-g>