Date: Mon, 09 Oct 2017 22:34:56 +0200 From: Jan Beich <jbeich@FreeBSD.org> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-ports@freebsd.org Subject: Re: New pkg audit FNs Message-ID: <tvz8-rrf3-wny@FreeBSD.org> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman <matthew@FreeBSD.org> writes: > On 09/10/2017 16:57, Roger Marquis wrote: > >> The reason I ask is CVE-2017-12617 was announced almost a week ago yet >> there's no mention of it in the vulnerability database=C2=A0 The tomcat8 >> port's Makefile also still points to the older, vulnerable version. >> Tomcat is one of those popular, internet-facing applications that sites >> need to check and/or update quickly when CVEs are released and most >> admins probably don't expect "pkg audit" to throw false negatives. > > Ports-secteam (and secteam, for that matter) will update VuXML when they > know about vulnerabilities that affect FreeBSD ports, however the usual > mechanism is that the port maintainer either updates VuXML themselves > directly or tells the appropriate people that there are vulnerabilities > that need to be recorded. What happened to querying CVE database using CPE strings? ENOTIME is a common disease in volunteer projects, ports-secteam@ is no exception. Finding missing entries is trivial if one looks at Debian tracker. Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which are fixed in the port. https://wiki.freebsd.org/Ports/CPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?tvz8-rrf3-wny>