On Thu, Aug 13, 2015, at 15:20, Mason Loring Bliss wrote: > A recently quarterly report: > > https://www.freebsd.org/news/status/report-2015-04-2015-06.html > > and last week's BSD Now episode both hint that quarterly packages will be > the > default for 10.2. I just looked, and sure enough: > > > https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup > > So, my issue here is that I run quarterly branches, and they are awful in > terms of security updates. With FreeBSD 10.2 imminent, are we expecting > users > to install vulnerable versions of things like Firefox right off the bat, > and > then wait for whatever fixes exist at the time the next quarterly branch > is > cut? >
You should not see vulnerable packages in the quarterly branch unless there is no public fix available. If you come across this type of situation where it is fixed in HEAD but not in the quarterly branch please email the maintainer and ports-secteam@ ASAP. > A pkg audit against an up-to-date package set is pretty disappointing: > > /usr/ports# pkg audit -F > vulnxml file up-to-date > libvpx-1.4.0 is vulnerable: > libvpx -- multiple buffer overflows > CVE: CVE-2015-4486 > CVE: CVE-2015-4485 > WWW: > https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html > > libxul-38.1.0 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4493 > CVE: CVE-2015-4492 > CVE: CVE-2015-4491 > CVE: CVE-2015-4490 > CVE: CVE-2015-4489 > CVE: CVE-2015-4488 > CVE: CVE-2015-4487 > CVE: CVE-2015-4484 > CVE: CVE-2015-4483 > CVE: CVE-2015-4482 > CVE: CVE-2015-4481 > CVE: CVE-2015-4480 > CVE: CVE-2015-4479 > CVE: CVE-2015-4478 > CVE: CVE-2015-4474 > CVE: CVE-2015-4473 > WWW: > https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html > This was handled here: https://svnweb.freebsd.org/ports?view=revision&revision=394030 > sox-14.4.2 is vulnerable: > sox -- memory corruption vulnerabilities > WWW: > https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html > Sox has no public fix yet > subversion-1.8.10_3 is vulnerable: > subversion -- DoS vulnerabilities > CVE: CVE-2014-8108 > CVE: CVE-2014-3580 > WWW: > https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html > > subversion-1.8.10_3 is vulnerable: > subversion -- DoS vulnerabilities > CVE: CVE-2015-0251 > CVE: CVE-2015-0248 > CVE: CVE-2015-0202 > WWW: > https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html > > subversion-1.8.10_3 is vulnerable: > subversion -- multiple vulnerabilities > CVE: CVE-2015-3187 > CVE: CVE-2015-3184 > WWW: > https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html > I can't speak to subversion at the moment > firefox-39.0,1 is vulnerable: > libvpx -- multiple buffer overflows > CVE: CVE-2015-4486 > CVE: CVE-2015-4485 > WWW: > https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html > > firefox-39.0,1 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4495 > WWW: > https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html > > firefox-39.0,1 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2015-4493 > CVE: CVE-2015-4492 > CVE: CVE-2015-4491 > CVE: CVE-2015-4490 > CVE: CVE-2015-4489 > CVE: CVE-2015-4488 > CVE: CVE-2015-4487 > CVE: CVE-2015-4484 > CVE: CVE-2015-4483 > CVE: CVE-2015-4482 > CVE: CVE-2015-4481 > CVE: CVE-2015-4480 > CVE: CVE-2015-4479 > CVE: CVE-2015-4478 > CVE: CVE-2015-4477 > CVE: CVE-2015-4475 > CVE: CVE-2015-4474 > CVE: CVE-2015-4473 > WWW: > https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html > Quarterly branch has 40.0_4,1 which I linked above (r394030), so this does not apply either. Just look at the package mirror: http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/ * firefox-40.0_4,1.txz * subversion-1.8.13_2.txz * libxul-38.2.0_2.txz The packages are there, so I don't understand how you observe these packages to still be vulnerable. In short: DON'T PANIC. The ports-secteam is dedicated to making sure the Quarterly branches are getting constant care and feeding. There has been a lot of changes in the past couple months -- just look at the increase of vuxml entries being fed in. Keep in mind that the less churn the quarterly branches have means the packages can build faster. I can't make any promises and I'm not involved in the package building architecture, but I expect you'll see quarterly branches get ports/packages built and distributed to the mirrors faster simply because it's less work to do so. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
