From owner-freebsd-security@FreeBSD.ORG Thu May 28 19:59:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F376CBB6 for ; Thu, 28 May 2015 19:59:48 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E3B1EEE for ; Thu, 28 May 2015 19:59:48 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 11CF4680D5; Thu, 28 May 2015 12:59:42 -0700 (PDT) In-Reply-To: References: Date: Thu, 28 May 2015 12:59:42 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: "Walter Parker" Cc: freebsd-security@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2015 19:59:49 -0000 Walter Parker wrote: > What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that > their systems are secure? An audit trail of CVE issues fixed, while a > good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There is no assurance against zero-day vulnerabilities or vulns that are otherwise not published (outside of the NSA). That would be absolute security. In the context of relative security, however, assurance can perhaps be defined as being able to assume that CVEs released by the NIST, announced by code or other operating system maintainers or published by researchers or third parties such as Rapid7 and Tripwire are reflected in vuln.xml (after a reasonable timeframe). > How much faster must FreeBSD respond for it to join the "security > assurance" club of the major Linux vendors? Is this a paperwork issue > or a process issue? We don't have much insight into the workings of FreeBSD's security teams so it appears to be a matter of policy. Would be great if Dag could comment here. The policies I would most like to know about are transparency-related i.e., published security-related procedures, projects and RFCs. Otherwise, what appears to be lacking is (additional) automation of the process of scanning CVEs and advisories by other organizations and subsequent prioritization, review and formatting for publication. There are several of us interested in contributing towards these goals, financially, codewise and otherwise, but it is distressingly unclear how. There are PRs of course, but if, say, someone wanted to contribute specifically to the process of automating vuln.xml updates or to donate specifically to the security teams .... Pointers gladly accepted. Roger