Shawn Webb wrote:
There's no need for ROP, JOP, SROP, etc. on FreeBSD. FreeBSD is literally stuck in 1999-era security.
This is doubly true for ports, including Tor. I submitted a vuxml entry for apache-tomcat 5 days ago that still has not been committed. A follow-up resulted in two replies from a helpful member of the ports-secteam, but which took as long to write as the vulxml would have taken to validate and commit. Its CVE is priority 7 (remotely exploitable) but almost a week later pkg audit still won't tell you if you're running an exploitable Tomcat. The explanation I received is that the ports-secteam is a volunteer effort and nobody really expects 'pkg audit' to be timely anyhow. Such easily fixable problems. Even the FreeBSD Foundation for all the projects it funds, and could fund with +$2.5M in the bank, doesn't seem to care. Roger Marquis _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
