From owner-freebsd-ports@freebsd.org Mon Oct 9 16:08:30 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 343DCE34B2A; Mon, 9 Oct 2017 16:08:30 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DFA9D2692; Mon, 9 Oct 2017 16:08:29 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: by mail-qt0-x22c.google.com with SMTP id f8so9051882qta.5; Mon, 09 Oct 2017 09:08:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1j/+zb1PZd2cDK4I2Khq/xdmKHW5sYHQIkiJXrpqunE=; b=IsqcLDurp18HVSkdEnqWrCF/9JLDYj/lMBoKYA2d4RXjMtEuInI+0YI+BrXI7n9cSo eyoGf43/DjiriahudsOIQpL1fLlPZFyKd8Vt3OoRaobr4S97Nk/V/VpvWoTiVq24G8bu H6/GoBwz1Oo0A5LvWrPlrCtuzChAI+LrlRBkk05tZ/YZUDmbVxOIiEQVN9/vhm0xoWJh D2Od1Q877RM/qd0hMWNY373sL8S0VuH1G01rBVqcPyg7M3C/50H25u13nA3NaydPZ8nT 8xPJJSelMH43iyGo9uD2gq1bETbiN7aXZCwFWz/t8TQ0HfO8Io3qSlBq1J5teU0HN9v3 Isqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1j/+zb1PZd2cDK4I2Khq/xdmKHW5sYHQIkiJXrpqunE=; b=VTMnFluq3lK45TA0OM3uh/lgqNkDFBnbIh3ahGKRc6C9iyR9rfkb3QtgOLhI96tNZx SxNc4VZEQqnvUu5iFSsvOC5wNp+Paj9o2pwRIRP5zvozm0+e+hN0/4R2IXEpN2fzLi2T WFMJzJcm5bsTDEf4y3Au9HF68aV7m0D6b3TTWdX1XaB5Yp3WTp0zZCJMuQ5axMMV9Rp/ yXrsdaPqzOzy8+SURpPLp5gkBJN9Q6ZoV2d9Q24RS6Vc291kw8JRcADVnlFXwgtahQ49 DSE09yyIPOHjEhKxp6afiu+mZtsct0q7PcdMDojy7o3RiVT9h8EtEDOXcpUVCSAumDCE EjGQ== X-Gm-Message-State: AMCzsaWZ3T+BZ17BesWGQ+zv6wAvC4yaUEu99jq8/7nKZosSV5DYRGv0 f7Ydrlq/sDGclX+L7/0Npx8aycb43jVROPPOTZc= X-Google-Smtp-Source: AOwi7QBTCq8FxOflazAVtsaJ9ZioaEC23XYyFmP0QtZM0Ks9HtMV6JYD59eupfh1g4fQyX87c8YySouLRThO5qDxvtU= X-Received: by 10.200.63.43 with SMTP id c40mr13791199qtk.219.1507565308773; Mon, 09 Oct 2017 09:08:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.20.102 with HTTP; Mon, 9 Oct 2017 09:08:28 -0700 (PDT) Received: by 10.140.20.102 with HTTP; Mon, 9 Oct 2017 09:08:28 -0700 (PDT) In-Reply-To: References: From: User Date: Mon, 9 Oct 2017 11:08:28 -0500 Message-ID: Subject: Re: New pkg audit FNs To: Roger Marquis Cc: freebsd-ports , freebsd-security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 16:08:30 -0000 Hello, They go by the public cve announcements. The audit db might be slow on updatingBut really you should be following CVEs for any software you use yourself that is mission critical On Oct 9, 2017 11:01 AM, "Roger Marquis" wrote: > Can anyone say what mechanisms the ports-security team might have in > place to monitor CVEs and port software versions? > > The reason I ask is CVE-2017-12617 was announced almost a week ago yet > there's no mention of it in the vulnerability database The tomcat8 > port's Makefile also still points to the older, vulnerable version. > Tomcat is one of those popular, internet-facing applications that sites > need to check and/or update quickly when CVEs are released and most > admins probably don't expect "pkg audit" to throw false negatives. > > Tomcat is just one of many apps, however, so concern regarding the > validity of FreeBSD's vulnerability database is larger than this CVE. > We are concerned about update processes and procedures, especially > considering how this topic has come up in the past (for different apps). > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >