From owner-freebsd-ports@freebsd.org Mon Oct 9 21:09:44 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5811FE3BEB6 for ; Mon, 9 Oct 2017 21:09:44 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mouf.net", Issuer "mouf.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 196037FD20; Mon, 9 Oct 2017 21:09:44 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from lrrr.mouf.net (cpe-24-163-43-246.nc.res.rr.com [24.163.43.246]) (authenticated bits=0) by mouf.net (8.14.9/8.14.9) with ESMTP id v99L9Ykc087705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 9 Oct 2017 21:09:40 GMT (envelope-from swills@FreeBSD.org) Subject: Re: New pkg audit FNs To: Jan Beich , Matthew Seaman Cc: freebsd-ports@freebsd.org, ale@Freebsd.org References: From: Steve Wills Message-ID: Date: Mon, 9 Oct 2017 17:09:28 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mouf.net [199.48.129.64]); Mon, 09 Oct 2017 21:09:40 +0000 (UTC) X-Spam-Status: No, score=1.3 required=4.5 tests=RCVD_IN_RP_RNBL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mouf.net X-Virus-Scanned: clamav-milter 0.99.2 at mouf.net X-Virus-Status: Clean X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 21:09:44 -0000 Hi, On 10/09/2017 16:34, Jan Beich wrote: > Matthew Seaman writes: > >> On 09/10/2017 16:57, Roger Marquis wrote: >> >>> Can anyone say what mechanisms the ports-security team might have in >>> place to monitor CVEs and port software versions? I've been hacking at a prototype for scanning what I can find: https://github.com/swills/nvd_to_new_vuxml It's more of a proof of concept than anything. The entry for this issue is still incomplete though, and the web page for it lists it as "waiting for analysis": https://nvd.nist.gov/vuln/detail/CVE-2017-12617 >>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet >>> there's no mention of it in the vulnerability database  The tomcat8 It looks like it's there to me: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185&r2=451415 https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html And added days ago. >>> port's Makefile also still points to the older, vulnerable version. True, the maintainer needs to update it. I've copied him on this message. >>> Tomcat is one of those popular, internet-facing applications that sites >>> need to check and/or update quickly when CVEs are released and most >>> admins probably don't expect "pkg audit" to throw false negatives. >> >> Ports-secteam (and secteam, for that matter) will update VuXML when they >> know about vulnerabilities that affect FreeBSD ports, however the usual >> mechanism is that the port maintainer either updates VuXML themselves >> directly or tells the appropriate people that there are vulnerabilities >> that need to be recorded. Correct, but it doesn't have to be the port maintainer, anyone can submit a bug report with a patch to ports/security/vuxml/vuln.xml > What happened to querying CVE database using CPE strings? ENOTIME is a > common disease in volunteer projects, ports-secteam@ is no exception. > Finding missing entries is trivial if one looks at Debian tracker. > Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which > are fixed in the port. > > https://wiki.freebsd.org/Ports/CPE Indeed, I've wanted to try matching up ports/packages to the CVE entries by using CPE data. I will try to look at that again, but as always patches welcome. I'll try to add the missing tiff entries and any others anyone cares to point out. Steve