Date: Mon, 9 Oct 2017 17:17:32 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: New pkg audit FNs Message-ID: <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org> In-Reply-To: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/10/2017 16:57, Roger Marquis wrote: > The reason I ask is CVE-2017-12617 was announced almost a week ago yet > there's no mention of it in the vulnerability database The tomcat8 > port's Makefile also still points to the older, vulnerable version. > Tomcat is one of those popular, internet-facing applications that sites > need to check and/or update quickly when CVEs are released and most > admins probably don't expect "pkg audit" to throw false negatives. Ports-secteam (and secteam, for that matter) will update VuXML when they know about vulnerabilities that affect FreeBSD ports, however the usual mechanism is that the port maintainer either updates VuXML themselves directly or tells the appropriate people that there are vulnerabilities that need to be recorded. Ports-secteam do not try and track CVEs for everything in the ports: that's probably unfeasible given that it's a volunteer effort. The latest tomcat advisories being missing from VuXML is a symptom of the perennial problem: nobody stepping up to do the work. pkg-audit(8) has been pretty good at reporting problems, but it always has been a best-efforts thing, and there's no guarrantee it will be comprehensive. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b63f2936-e922-4a90-f256-6d7870dbd55b>