From nobody Sun Aug 13 17:43:37 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RP4dg2htxz4mS3y for ; Sun, 13 Aug 2023 17:43:51 +0000 (UTC) (envelope-from SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RP4df120vz4d4q for ; Sun, 13 Aug 2023 17:43:50 +0000 (UTC) (envelope-from SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of "SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz"; dmarc=none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id EB837D7897 for ; Sun, 13 Aug 2023 19:43:41 +0200 (CEST) Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D9CABD788B for ; Sun, 13 Aug 2023 19:43:37 +0200 (CEST) Message-ID: Date: Sun, 13 Aug 2023 19:43:37 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: vulnerablities in base unreported in VuXML To: freebsd-security@freebsd.org References: <08443176-fdef-ee00-ed7e-6d90d2b241f7@quip.cz> Content-Language: cs-Cestina, en-US Cc: freebsd-security From: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <08443176-fdef-ee00-ed7e-6d90d2b241f7@quip.cz> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-1.76 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.995]; NEURAL_HAM_SHORT(-0.97)[-0.969]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Spamd-Bar: - X-Rspamd-Queue-Id: 4RP4df120vz4d4q Again and again and again... New Security Vulnerabilities were published almost 2 weeks ago but they were not added to VuXML database again so /usr/local/etc/periodic/security/410.pkg-audit from pkg cannot report these vulnerabilities on kernel and userland on any vulnerable system. Please can Security Team add all past vulnerabilities in to VuXML and fix process of publishing future SAs that they will never be missed again? Kind regards Miroslav Lachman On 04/05/2023 19:56, Miroslav Lachman wrote: > As was noted on FreeBSD forum [1], there is problem with missing SA > entries in VuXML (again). > The last entry is from 2022-08-31 for zlip heap buffer overflow [2] > 5 SA entries are missing. Can somebody from Securitu Officers take a > look on it and publish missing entries? > And fix the SA release process for all future SAs so we do not miss any > again? Periodic 405.pkg-base-audit from pkg is usless without up to date > VuXML. > > [1] > https://forums.freebsd.org/threads/pkg-audit-vuln-xml-no-more-updates-for-base-system-and-kernel.71239/#post-609407 > [2] https://www.vuxml.org/freebsd/pkg-FreeBSD.html > > Kind regards > Miroslav Lachman >