Date: Mon, 9 Oct 2017 17:09:28 -0400 From: Steve Wills <swills@FreeBSD.org> To: Jan Beich <jbeich@FreeBSD.org>, Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-ports@freebsd.org, ale@Freebsd.org Subject: Re: New pkg audit FNs Message-ID: <d56ddf99-a1fc-e813-67ed-ea6d65c8211f@FreeBSD.org> In-Reply-To: <tvz8-rrf3-wny@FreeBSD.org> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org> <tvz8-rrf3-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 10/09/2017 16:34, Jan Beich wrote: > Matthew Seaman <matthew@FreeBSD.org> writes: > >> On 09/10/2017 16:57, Roger Marquis wrote: >> >>> Can anyone say what mechanisms the ports-security team might have in >>> place to monitor CVEs and port software versions? I've been hacking at a prototype for scanning what I can find: https://github.com/swills/nvd_to_new_vuxml It's more of a proof of concept than anything. The entry for this issue is still incomplete though, and the web page for it lists it as "waiting for analysis": https://nvd.nist.gov/vuln/detail/CVE-2017-12617 >>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet >>> there's no mention of it in the vulnerability database The tomcat8 It looks like it's there to me: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185&r2=451415 https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html And added days ago. >>> port's Makefile also still points to the older, vulnerable version. True, the maintainer needs to update it. I've copied him on this message. >>> Tomcat is one of those popular, internet-facing applications that sites >>> need to check and/or update quickly when CVEs are released and most >>> admins probably don't expect "pkg audit" to throw false negatives. >> >> Ports-secteam (and secteam, for that matter) will update VuXML when they >> know about vulnerabilities that affect FreeBSD ports, however the usual >> mechanism is that the port maintainer either updates VuXML themselves >> directly or tells the appropriate people that there are vulnerabilities >> that need to be recorded. Correct, but it doesn't have to be the port maintainer, anyone can submit a bug report with a patch to ports/security/vuxml/vuln.xml > What happened to querying CVE database using CPE strings? ENOTIME is a > common disease in volunteer projects, ports-secteam@ is no exception. > Finding missing entries is trivial if one looks at Debian tracker. > Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which > are fixed in the port. > > https://wiki.freebsd.org/Ports/CPE Indeed, I've wanted to try matching up ports/packages to the CVE entries by using CPE data. I will try to look at that again, but as always patches welcome. I'll try to add the missing tiff entries and any others anyone cares to point out. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d56ddf99-a1fc-e813-67ed-ea6d65c8211f>