From owner-freebsd-ports@FreeBSD.ORG Sat May 23 16:14:55 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1696728B; Sat, 23 May 2015 16:14:55 +0000 (UTC) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D791410CA; Sat, 23 May 2015 16:14:54 +0000 (UTC) Received: by iepj10 with SMTP id j10so49847142iep.3; Sat, 23 May 2015 09:14:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Y5gP4KD2hXp2RZZS2DmMa/JhXuCVO0SHQe1lw5TzBVM=; b=CEQAngsuP2iMG9GFKNKy7qNHzFRLy7B9KpJul8chRdmUkNlFLKPjRvLaLFodbEoFKb 9afX3sAMhTOEXwX03AGCbXytiYdHhATAU6VOrhGmTvKVajzWSADqIi05NIrpZsazLtdT JDattUZOyvSw3cpHUrH30KP51kezsLC+BANYDqJQLvhLjch2wTQBkRlzJOBTVk1mA2vV 229yULpnSrlrgWdYHWpq7qLdtBNdHIOShkVPnoORmJ2+lXa0sUHCbjo1IMU8azLR1iCC oFGNSLvcOMDJGTf9cT7i6MS18CcnbyzE2rbM94GJSGM2PFwT4bBhtFO5mW14WLDHKqqY kFUA== MIME-Version: 1.0 X-Received: by 10.50.132.71 with SMTP id os7mr12681007igb.24.1432397694210; Sat, 23 May 2015 09:14:54 -0700 (PDT) Received: by 10.36.27.139 with HTTP; Sat, 23 May 2015 09:14:54 -0700 (PDT) In-Reply-To: <20150523153031.A1A07357@hub.freebsd.org> References: <20150523153031.A1A07357@hub.freebsd.org> Date: Sat, 23 May 2015 12:14:54 -0400 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Jason Unovitch To: ports-secteam@FreeBSD.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 16:14:55 -0000 On Sat, May 23, 2015 at 11:30 AM, Roger Marquis wrote: > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 databases/cassandra -- https://bugs.freebsd.org/199091 databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) sysutils/py-salt -- https://bugs.freebsd.org/200172 vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 Jason