On Fri, Aug 14, 2015 at 10:27:44AM -0500, Mark Felder wrote: > You should not see vulnerable packages in the quarterly branch unless > there is no public fix available. If you come across this type of > situation where it is fixed in HEAD but not in the quarterly branch > please email the maintainer and ports-secteam@ ASAP.
Sounds reasonable. > I can't speak to subversion at the moment My next email noted that I had held back Subversion intentionally, so that one was my fault. > Quarterly branch has 40.0_4,1 which I linked above (r394030), so this > does not apply either. Now, THAT is cheating. Firefox wasn't updated in the quarterly branch until *after* I pointed it out on the list. > The packages are there, so I don't understand how you observe these > packages to still be vulnerable. How about, two of them were vulnerable until I wrote to the list with the dismaying thought that we were going to ship vulnerable packages, at which point someone with the ability to push packages around decided to fix them...? That said, I will happily use the mechanisms you noted if I see this sort of situation in the future, and I am sincerely, deeply grateful that the high- profile stuff I pointed out was fixed so rapidly in response to my pointing it out. -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
