Date: Mon, 9 Oct 2017 11:08:28 -0500 From: User <kitchetech@gmail.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-ports <freebsd-ports@freebsd.org>, freebsd-security <freebsd-security@freebsd.org> Subject: Re: New pkg audit FNs Message-ID: <CAD-N7OAPe=e4-qf0%2B6xmA-72B8F5%2BStchALFPtPCzr1yfeWxyA@mail.gmail.com> In-Reply-To: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, They go by the public cve announcements. The audit db might be slow on updatingBut really you should be following CVEs for any software you use yourself that is mission critical On Oct 9, 2017 11:01 AM, "Roger Marquis" <marquis@roble.com> wrote: > Can anyone say what mechanisms the ports-security team might have in > place to monitor CVEs and port software versions? > > The reason I ask is CVE-2017-12617 was announced almost a week ago yet > there's no mention of it in the vulnerability database The tomcat8 > port's Makefile also still points to the older, vulnerable version. > Tomcat is one of those popular, internet-facing applications that sites > need to check and/or update quickly when CVEs are released and most > admins probably don't expect "pkg audit" to throw false negatives. > > Tomcat is just one of many apps, however, so concern regarding the > validity of FreeBSD's vulnerability database is larger than this CVE. > We are concerned about update processes and procedures, especially > considering how this topic has come up in the past (for different apps). > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD-N7OAPe=e4-qf0%2B6xmA-72B8F5%2BStchALFPtPCzr1yfeWxyA>