From owner-freebsd-ports@freebsd.org  Mon Oct  9 16:17:36 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E4E5E35244
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Mon,  9 Oct 2017 16:17:36 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [81.2.117.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3924E63DC6
 for <freebsd-ports@freebsd.org>; Mon,  9 Oct 2017 16:17:35 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from leaf.local (unknown [88.202.132.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 226BE6024
 for <freebsd-ports@freebsd.org>; Mon,  9 Oct 2017 16:17:33 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none (p=none dis=none) header.from=FreeBSD.org
Subject: Re: New pkg audit FNs
To: freebsd-ports@freebsd.org
References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org>
Date: Mon, 9 Oct 2017 17:17:32 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 16:17:36 -0000

On 09/10/2017 16:57, Roger Marquis wrote:
> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
> there's no mention of it in the vulnerability database  The tomcat8
> port's Makefile also still points to the older, vulnerable version.
> Tomcat is one of those popular, internet-facing applications that sites
> need to check and/or update quickly when CVEs are released and most
> admins probably don't expect "pkg audit" to throw false negatives.

Ports-secteam (and secteam, for that matter) will update VuXML when they
know about vulnerabilities that affect FreeBSD ports, however the usual
mechanism is that the port maintainer either updates VuXML themselves
directly or tells the appropriate people that there are vulnerabilities
that need to be recorded.

Ports-secteam do not try and track CVEs for everything in the ports:
that's probably unfeasible given that it's a volunteer effort.

The latest tomcat advisories being missing from VuXML is a symptom of
the perennial problem: nobody stepping up to do the work.

pkg-audit(8) has been pretty good at reporting problems, but it always
has been a best-efforts thing, and there's no guarrantee it will be
comprehensive.

	Cheers,

	Matthew