On 11/04/2014 15:34, Erik Trulsson wrote: > Quoting sbre...@hotmail.com: > >> I receive daily email from the host which normally shows port audits >> and vulnerabilities. However, I did not sport anything related to >> CVE-2014-0160 in this email. I expected the same info comes in this >> email about the base system as well. >> >> How do you normally inform about recent vulnerability in the base >> system? (I believe newspaper and TV is not the best way...) > > No, the port audit system does not cover base system vulnerabilities. > > Security advisories regarding the base systems are supposed to be sent by > e-mail to the following mailing lists: > > freebsd-security-notificati...@freebsd.org > FreeBSD-security@FreeBSD.org > freebsd-annou...@freebsd.org > > Personally I would recommend all FreeBSD users to subscribe to the > freebsd-announce list at least.
portaudit is rapidly becoming obsolete. Today's alternative is pkg-audit(8) One of the non obvious things about the switch from portaudit to pkg audit is that pkg audit uses the standard vuxml vulnerability database directly, whereas portaudit used it's own vulnerability data which was essentially a heavily trimmed extract from vuxml. The interesting thing about vuxml is that it is quite possible to write vulnerability entries for the base system. Eg. http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.html This is applied inconsistently though. While there is an entry for OpenSSL Heartbleed, it doesn't contain any reference to the FreeBSD base system and the security advisories (at least, not at the time I was writing this...) It's also not a feature of pkg audit or any other tool I am aware of that it can warn about base system vulnerabilities. Such functionality would be very welcome though. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey
signature.asc
Description: OpenPGP digital signature
