I found the ports security reporting without issues http://www.freebsd.org/security/reporting.html. Appears someone should read reporting page Instead of saying information is not correct. On May 27, 2015 12:40 PM, "Roger Marquis" <marq...@roble.com> wrote:
> If you find a vulnerability such as a new CVE or mailing list >>> announcement please send it to the port maintainer and >>> <ports-sect...@freebsd.org> as quickly as possible. They are whoefully >>> understaffed and need our help. >>> >> Mark Felder wrote: > >> Who is "ports-secteam"? >> > > It was Xin Li who alerted me to the ports-sect...@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (sect...@freebsd.org) address noted on > <https://www.freebsd.org/security/>. > > There has been no Call For Help that I've ever seen. If people are needed >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. >> > > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: > > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review nor > returned to the sender with a note regarding the correct destination > address, > > * the freebsd.org/security web page is not correct and not being > updated, > > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, > > * nobody @freebsd.org appears to be following CVE announcements and the > maintainers of several high profile ports are also not following it or > even their application's -announce list, > > * there appears to be no automated process to alert vuln.xml maintainers > (ports-secteam@) of potential new port vulnerabilities, > > * offers of help to secteam@ and ports-secteam@ are neither replied to > nor acted upon (except for Xin Li's request, thanks Xin!), > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are secure. > > This is a MAJOR CHANGE from just a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself. > > IMO, > Roger Marquis > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
