From owner-freebsd-ports@FreeBSD.ORG Sat May 23 18:28:52 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D42D7E6; Sat, 23 May 2015 18:28:52 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:210:34e4::25]) by mx1.freebsd.org (Postfix) with ESMTP id 2BBD51E32; Sat, 23 May 2015 18:28:52 +0000 (UTC) Received: from [10.0.2.17] (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 8682C48F8; Sat, 23 May 2015 20:28:34 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.0 mail.jr-hosting.nl 8682C48F8 Authentication-Results: mail.jr-hosting.nl/8682C48F8; dmarc=none header.from=FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Content-Type: multipart/signed; boundary="Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.5b6 From: Remko Lodder In-Reply-To: <20150523153030.CEA8C2DB@hub.freebsd.org> Date: Sat, 23 May 2015 20:28:32 +0200 Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Message-Id: References: <20150523153030.CEA8C2DB@hub.freebsd.org> To: Roger Marquis X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 18:28:52 -0000 --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Please send these things to ports-secteam@FreeBSD.org so that they can have a look at these please. Thanks, Remko > On 23 May 2015, at 17:30, Roger Marquis wrote: > > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > ) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVYMbRAAoJEKjD27JZ84ywBDAP/RycGa076N4u6pYxmAoPlgdz SelWR8q2kkQdAVmTOdSQwi4DRrsnBFg049yJkswt2dGxzKg5H9WfmF0g0HGGAfZG EbJxKdARglWyq/BEOYB239WRTDLrZrHb6AbluayajLpqKxHD8NK+rSoYyPfTZBQ+ FNbw8k3i/KrCg+zCZWPKJl3/367/ZQwZC0c2ZKt3k+9IFZxODQ3UxnBOlmXESsXR y50/47ahF/SaaExbB9pBKUDCD+zsogpoGclYzDkejKKj5e5NazOea9TWkEVA7uOd pnnw7oWz4LFnSYg6myb69TYfgdCpzd4U4XwllHn6YASRX9ojo+GMhTK936Oz5PYp 6my1tF7gQ/YYWH4G7lOjDDY/gxR4HBAq1cCVRgsHLnwnD0E3wEgZmVA2BAyAng9e 5d80KU9AZp4/GDLYrC8bT0FTMXn9Xj0y9xAzvQQ2p32C5b55PD/E8qZEMy2XtMiD oDuEcTGlhIhxjMsvG2WGC95V4wKOfPQi+3Y3UJSdWiUKJiTsHj5/vfdqWfw9sp6X KHfLJ38UkooZMjoqibOTQktRrn1nxuhyO0fGJ+0wwjWPq6KdPMLgN5JPos51tUDp QYzkgqLsF4vokKgguUTzlFfFdvI+D88Bws1Uit27/FStDIS7MF8i9mUFXBVFgIB4 /4n9TnRHasPBo1HQXok7 =Xxvi -----END PGP SIGNATURE----- --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8--