From owner-freebsd-ports@freebsd.org  Mon Oct  9 16:00:06 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E745EE343C1;
 Mon,  9 Oct 2017 16:00:06 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C581F83F89;
 Mon,  9 Oct 2017 16:00:03 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 2ADD53BA3E;
 Mon,  9 Oct 2017 08:57:35 -0700 (PDT)
Date: Mon, 9 Oct 2017 08:57:35 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-ports@freebsd.org
cc: freebsd-security@freebsd.org
Subject: New pkg audit FNs
Message-ID: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 16:00:07 -0000

Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?

The reason I ask is CVE-2017-12617 was announced almost a week ago yet
there's no mention of it in the vulnerability database  The tomcat8
port's Makefile also still points to the older, vulnerable version.
Tomcat is one of those popular, internet-facing applications that sites
need to check and/or update quickly when CVEs are released and most
admins probably don't expect "pkg audit" to throw false negatives.

Tomcat is just one of many apps, however, so concern regarding the
validity of FreeBSD's vulnerability database is larger than this CVE.
We are concerned about update processes and procedures, especially
considering how this topic has come up in the past (for different apps).

Roger Marquis