From owner-freebsd-security@freebsd.org Fri Aug 14 15:27:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF0BD9B9AA3 for ; Fri, 14 Aug 2015 15:27:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CEB0133E for ; Fri, 14 Aug 2015 15:27:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 81C412333A for ; Fri, 14 Aug 2015 11:27:44 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Fri, 14 Aug 2015 11:27:44 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=IivUpWJzju8I7aP LGmnllHHrZSQ=; b=pNBsFG7XFqL5OQpd+18rV8SnvGer6kWkx4OoIX76J5r6W+j XOo+HVaAwNwEgKj7VU+uDVmBm85ecI+yc2LPIc4SW4atWmdlZmaOZPeNBL1lcUxs oa4mVr2sOjQoiMGxUMheW3QjP+mEbJXcKtCLKYjlxZ+lbuQsprBgV4vK5Pv0= Received: by web3.nyi.internal (Postfix, from userid 99) id 5DAC2103C83; Fri, 14 Aug 2015 11:27:44 -0400 (EDT) Message-Id: <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com> X-Sasl-Enc: nz5yBI+D78qoYohU9yXWxzW4H0ioNjx9/5pXlToz5L/i 1439566064 From: Mark Felder To: Mason Loring Bliss , freebsd-security@freebsd.org Cc: info@freebsdfoundation.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4fee8ba5 Subject: Re: Quarterly packages and security updates... Date: Fri, 14 Aug 2015 10:27:44 -0500 In-Reply-To: <20150813202007.GC4093@blisses.org> References: <20150813202007.GC4093@blisses.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 15:27:45 -0000 On Thu, Aug 13, 2015, at 15:20, Mason Loring Bliss wrote: > A recently quarterly report: > > https://www.freebsd.org/news/status/report-2015-04-2015-06.html > > and last week's BSD Now episode both hint that quarterly packages will be > the > default for 10.2. I just looked, and sure enough: > > https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup > > So, my issue here is that I run quarterly branches, and they are awful in > terms of security updates. With FreeBSD 10.2 imminent, are we expecting > users > to install vulnerable versions of things like Firefox right off the bat, > and > then wait for whatever fixes exist at the time the next quarterly branch > is > cut? > You should not see vulnerable packages in the quarterly branch unless there is no public fix available. If you come across this type of situation where it is fixed in HEAD but not in the quarterly branch please email the maintainer and ports-secteam@ ASAP. > A pkg audit against an up-to-date package set is pretty disappointing: > > /usr/ports# pkg audit -F > vulnxml file up-to-date > libvpx-1.4.0 is vulnerable: > libvpx -- multiple buffer overflows > CVE: CVE-2015-4486 > CVE: CVE-2015-4485 > WWW: > https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html > > libxul-38.1.0 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4493 > CVE: CVE-2015-4492 > CVE: CVE-2015-4491 > CVE: CVE-2015-4490 > CVE: CVE-2015-4489 > CVE: CVE-2015-4488 > CVE: CVE-2015-4487 > CVE: CVE-2015-4484 > CVE: CVE-2015-4483 > CVE: CVE-2015-4482 > CVE: CVE-2015-4481 > CVE: CVE-2015-4480 > CVE: CVE-2015-4479 > CVE: CVE-2015-4478 > CVE: CVE-2015-4474 > CVE: CVE-2015-4473 > WWW: > https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html > This was handled here: https://svnweb.freebsd.org/ports?view=revision&revision=394030 > sox-14.4.2 is vulnerable: > sox -- memory corruption vulnerabilities > WWW: > https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html > Sox has no public fix yet > subversion-1.8.10_3 is vulnerable: > subversion -- DoS vulnerabilities > CVE: CVE-2014-8108 > CVE: CVE-2014-3580 > WWW: > https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html > > subversion-1.8.10_3 is vulnerable: > subversion -- DoS vulnerabilities > CVE: CVE-2015-0251 > CVE: CVE-2015-0248 > CVE: CVE-2015-0202 > WWW: > https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html > > subversion-1.8.10_3 is vulnerable: > subversion -- multiple vulnerabilities > CVE: CVE-2015-3187 > CVE: CVE-2015-3184 > WWW: > https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html > I can't speak to subversion at the moment > firefox-39.0,1 is vulnerable: > libvpx -- multiple buffer overflows > CVE: CVE-2015-4486 > CVE: CVE-2015-4485 > WWW: > https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html > > firefox-39.0,1 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4495 > WWW: > https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html > > firefox-39.0,1 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4493 > CVE: CVE-2015-4492 > CVE: CVE-2015-4491 > CVE: CVE-2015-4490 > CVE: CVE-2015-4489 > CVE: CVE-2015-4488 > CVE: CVE-2015-4487 > CVE: CVE-2015-4484 > CVE: CVE-2015-4483 > CVE: CVE-2015-4482 > CVE: CVE-2015-4481 > CVE: CVE-2015-4480 > CVE: CVE-2015-4479 > CVE: CVE-2015-4478 > CVE: CVE-2015-4477 > CVE: CVE-2015-4475 > CVE: CVE-2015-4474 > CVE: CVE-2015-4473 > WWW: > https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html > Quarterly branch has 40.0_4,1 which I linked above (r394030), so this does not apply either. Just look at the package mirror: http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/ * firefox-40.0_4,1.txz * subversion-1.8.13_2.txz * libxul-38.2.0_2.txz The packages are there, so I don't understand how you observe these packages to still be vulnerable. In short: DON'T PANIC. The ports-secteam is dedicated to making sure the Quarterly branches are getting constant care and feeding. There has been a lot of changes in the past couple months -- just look at the increase of vuxml entries being fed in. Keep in mind that the less churn the quarterly branches have means the packages can build faster. I can't make any promises and I'm not involved in the package building architecture, but I expect you'll see quarterly branches get ports/packages built and distributed to the mirrors faster simply because it's less work to do so.