From owner-freebsd-security@FreeBSD.ORG Thu May 28 17:19:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 39DEEA9 for ; Thu, 28 May 2015 17:19:14 +0000 (UTC) (envelope-from walterp@gmail.com) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9A0A337 for ; Thu, 28 May 2015 17:19:13 +0000 (UTC) (envelope-from walterp@gmail.com) Received: by wifw1 with SMTP id w1so70922361wif.0 for ; Thu, 28 May 2015 10:19:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=DbPNuhw54hYEN2qVIFv93oBXga7p13ZMcMeRKoND2BA=; b=EAeMCKHMVlouZwKhFVI/SCRbvYXSWmYbAb/lruj8R4HVeIc6N+3h7dy+AgnbKbOWs/ djgUpV+hw708Jp0IoU7u6SzKsynJHbkCLx0v57LOHEU/P8cFMLKJtmGevMj3y2LWWLsM 8AkwVqSpPnINUDxg9i64sF2BF/WuaZDEheXtE54Vsx7tXelnOce4G+YjI/zXZsHSNEeI Mi2iCrkTPEq33kjfVABBhOwErOZE+xPqkZkL0p/652yuIGGXqeRTdGvG4JLh2psZ7sA6 //XwjXC3pjutcGv0Dr2ou0C5CRRGXjWa3cjQMPmUJxtmZD9bA0AALio8lsfI6gZfXHZ2 sjwQ== MIME-Version: 1.0 X-Received: by 10.194.177.133 with SMTP id cq5mr6957032wjc.145.1432833552302; Thu, 28 May 2015 10:19:12 -0700 (PDT) Received: by 10.27.125.134 with HTTP; Thu, 28 May 2015 10:19:12 -0700 (PDT) Date: Thu, 28 May 2015 10:19:12 -0700 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Walter Parker To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2015 17:19:14 -0000 > Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" > To: "Mark Felder" > Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: > Content-Type: text/plain;charset=iso-8859-1 > >>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >>> OpenBSD server operators) have no assurance that their systems are >>> secure. >> That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the "security assurance" club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter