>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >> OpenBSD server operators) have no assurance that their systems are >> secure. > > Slow down here for a second. Where's the command-line tool on RedHat or > Debian that lists only the known vulnerable packages?
In RedHat you can create a security repo list ( grep "-security" /etc/apt/sources.list), install the security plugin (yum install yum-plugin-security) and 'yum check-update --security' for the same functionality as 'pkg audit -F'. Debian is even more obscure (apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list --just-print). FreeBSD 'pkg audit' is much cleaner but what difference does that make, really, when you have a vulnerable package that isn't in the database? > But that's not the end of the story. That > command won't list vulnerabilities until they have a patch released. > Let's look at CVE-2015-0209 > https://access.redhat.com/security/cve/CVE-2015-0209 > Release date was March 23rd. No question there's variability in bugfix timeliness, especially for DOS-type bugs like CVE-2015-0209. FreeBSD ports maintainers are also able to commit patches and version updates much more quickly than their binary-only competitors, as noted with the php55/Makefile tweak. In the past that's what made FreeBSD a more secure OS to host applications on. But that's not the main issue this thread has been about. The issue that really matters from a security perspective is the completeness of the vulnerability database, vuln.xml in our case. > The grass is always greener... or is it? > > Let's just concentrate on how to improve things here and not worry about > how they're handling security issues because they have their own unique > problems to solve. I must say I am disappointed in the response to this serious and significant issue. My Redhat using co-workers, OTOH, are no doubt eating it up. Problem is I'm not the only one who has to defend their business unit's use of FreeBSD in a corporation that has otherwise nearly standardized on Redhat (and RH security, bash notwithstanding). Roger _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
