From owner-freebsd-ports@FreeBSD.ORG Fri Dec 29 13:15:55 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C650A16A403 for ; Fri, 29 Dec 2006 13:15:55 +0000 (UTC) (envelope-from freebsd-ports@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 85DE813C448 for ; Fri, 29 Dec 2006 13:15:55 +0000 (UTC) (envelope-from freebsd-ports@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1H0HaB-0003sQ-2F for freebsd-ports@freebsd.org; Fri, 29 Dec 2006 14:15:35 +0100 Received: from homer.cload.net ([213.41.241.56]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 29 Dec 2006 14:15:35 +0100 Received: from ohmer by homer.cload.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 29 Dec 2006 14:15:35 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ports@freebsd.org From: Matthieu Michaud Date: Fri, 29 Dec 2006 14:15:08 +0100 Lines: 29 Message-ID: <459514DC.6060208@epita.info> References: <4594EA9D.5070604@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: homer.cload.net User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) In-Reply-To: <4594EA9D.5070604@infracaninophile.co.uk> Sender: news Subject: Re: squirrelmail vuln not published on vuxml ? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 13:15:55 -0000 Matthew Seaman wrote: > Matthieu Michaud wrote: > >> if i'm not wrong, it seems like the security issue with squirrelmail >> 1.4.8 published on squirrelmail.org is not reported on vuxml. shouldn't >> it be ? > > It looks like a good candidate for that, yes. In order for such problems > to find their way into vuxml the Security Team first has to be made aware > of them. E-mail to sec-team@freebsd.org generally suffices, and it will > help them if references to security advisories, reports on Bugtraq, Secunia > and similar sites, CVE numbers etc. can be included in the report. > > However making that report (along with updating the port to fix the > vulnerabilities) is the port maintainer's responsibility in the first > instance -- only if the maintainer fails to reply or deal with your > concerns should you go direct. > > When updating a port to fix a security hole, adding [security] to the > synopsis (which becomes the Subject line in the gnats e-mails) and CC'ing > sec-team@freebsd.org is generally sufficient to get appropriate entries > made in vuxml and portaudit's DB. > > Cheers, > > Matthew > let's do it, maintainer CC'ed (please read above :p).