From owner-freebsd-security@FreeBSD.ORG Mon Jun 8 21:00:01 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 522B872E; Mon, 8 Jun 2015 21:00:01 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E03810FD; Mon, 8 Jun 2015 21:00:01 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 0A0DB67882; Mon, 8 Jun 2015 13:55:45 -0700 (PDT) In-Reply-To: References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org> Date: Mon, 8 Jun 2015 13:55:45 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org, des@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 21:00:01 -0000 > On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > Crickets..... > > May I ask again: > > How do we find out who the members of the Ports Secteam are? > > How do we join the team? Anyone? >> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery >> wrote: >>> I think the VUXML database needs to be simpler to contribute to. Only a >>> handful of committers feel comfortable touching the file. We have also >>> had the wrong pervasive mentality by committers and users that the vuxml >>> database should only have an entry if there is a committed fix. This is >>> totally wrong. These CVE are _already public_ in all of these cases. >>> Users deserve to know that there is a known issue with a package they >>> have installed. I can understand how the mentality grew to what it is >>> with some people, but the fact that there is not an update doesn't >>> change that the user's system is insecure and needs to be dealt with. If >>> the tool can't reliably report issues then it is not worth trusting. >>> TL;DR; the file needs to be simpler. I know there is an effort to use >>> CPE but I'm not too familiar with where it is going. >>> >>> As for maintainers tracking upstream mailing lists, this is hard. I'm >>> subscribed to a lot of lists and can't keep up with all of the traffic. >>> >>> The RedHat security team and reporting is very impressive. Don't forget >>> that they are a funded company though. Perhaps the FreeBSD Foundation >>> needs to fund a fulltime security officer that is devoted to both Ports >>> and Src. Just the Ports piece is easily a fulltime job. >> >> It seems from this thread that we have a group of people who are >> passionate enough about fixing this problem. >> >> How do we find out who the members of the Ports Secteam are? Once we >> know that, I'd say that at least some of the people on this thread are >> willing to join the Ports Secteam (myself included). How do we join >> the team? >> >> Once the team has new and energized members, I would envision the team >> then working through the problems that have been outlined in this >> thread and putting together a plan for fixing them.