From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 20:05:40 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 740C7E7E for ; Thu, 10 Apr 2014 20:05:40 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 546151D8A for ; Thu, 10 Apr 2014 20:05:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AK5dai010367 for ; Thu, 10 Apr 2014 20:05:39 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3AK5dmU010365 for freebsd-security@freebsd.org; Thu, 10 Apr 2014 20:05:39 GMT (envelope-from bdrewery) Received: (qmail 18250 invoked from network); 10 Apr 2014 15:05:38 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 10 Apr 2014 15:05:38 -0500 Message-ID: <5346F98D.6030102@FreeBSD.org> Date: Thu, 10 Apr 2014 15:05:33 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Janne Snabb , freebsd-ports@freebsd.org, freebsd security Subject: Re: Missing binary package security updates? References: <5346E459.3020207@epipe.com> In-Reply-To: <5346E459.3020207@epipe.com> X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6" X-Mailman-Approved-At: Thu, 10 Apr 2014 20:37:35 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 20:05:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 4/10/2014 1:35 PM, Janne Snabb wrote: > Hi, >=20 > I recently started using the new fancy pkgng binary packages on some > machines that I maintain. I thought I could save a lot of time as I > would not need to keep compiling ports manually any more. >=20 > Unfortunately it seems that it was not such a good idea: >=20 > # date > Thu Apr 10 21:27:22 EEST 2014 > # pkg audit > openssl-1.0.1_9 is vulnerable: > OpenSSL -- Multiple vulnerabilities - private data exposure > CVE: CVE-2014-0076 > CVE: CVE-2014-0160 > WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.= html >=20 > 1 problem(s) in the installed packages found. > # pkg upgrade > Updating repository catalogue > Nothing to do > # >=20 > This is on FreeBSD 8/i386. >=20 > I think I have noticed binary package updates only about once a week. I= s > my observation correct? Why such an infrequent update cycle? If there i= s > some real reason to build package updates so rarely, would it be > possible to hasten the cycle whenever serious issues like CVE-2014-0160= > are found? (I am involved in building the packages) Yes packages currently start building Tuesday night. It takes until Saturday/Sunday for all release/arch to finish building. As each release/arch is finished the packages are uploaded. I did want to expedite updating this package but was blocked by a number of things. I regret we did not, and will not, have a package available sooner for all release/archs. I have started an internal discussion on building packages more frequently for security updates. >=20 > Right now pkgng binary packages are not really suitable for production > use because of lacking essential security updates. (There should be a > loud and clear warning about this in the Handbook if it stays this way?= ) >=20 > Best Regards, >=20 --=20 Regards, Bryan Drewery --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTRvmNAAoJEDXXcbtuRpfPdHIH/0OLeUDa5/rd2OGRkfzAhYRK 2+iflU9p5JYy0hKYVWo6h8qcjT6Ask/7DkFVYMqoJ1S0YUa07CqpSjWKIfArh4nW aJKm5YORcwwY5RJCcc3+W0ykEvWmB2DlqIPZHXB3Y8TcaC9C2+N4K3eKOp7GUDE/ fNcvTJUBAq/z5JiDNUVmLC1hZXoYeEq+WP1T7jnWYbDBNCkEtzjpchUAnkX7fzbC UsWZSOMsRPpTYmdG9FHmneUVKQOWr8vEPOH7CQdQej9aLn8UhaotDimLQlTfy/K1 KIm6pw4DP+CYOa3uBGdLmMcCxcGOwuEKJsasmO1b7YCyMLOFm8V84Is3gT+qDZQ= =mVxs -----END PGP SIGNATURE----- --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6--