Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 11 June 2015 at 06:47, Matthew Seaman wrote: > On 11/06/2015 09:15, Mark Linimon wrote: >> On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: >>> Hrm... Numerous inquiries regarding this and no response is somewhat >>> disappointing. >> >> This is not an excuse, but a number of us

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 11/06/2015 09:15, Mark Linimon wrote: > On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: >> Hrm... Numerous inquiries regarding this and no response is somewhat >> disappointing. > > This is not an excuse, but a number of us are at BSDCan and distracted. > > There have been disc

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: > Hrm... Numerous inquiries regarding this and no response is somewhat > disappointing. This is not an excuse, but a number of us are at BSDCan and distracted. There have been discussions about how to solve the larger "ports security

Re: New pkg audit / vuln.xml failures (php55, unzoo)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hrm... Numerous inquiries regarding this and no response is somewhat disappointing. If anyone gets any feedback from anywhere else, please update the rest of us (BSDCan contacts/update included... I can't make it... :( ) Regards, Janky Jay, III On 0

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: > > On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > > Crickets. > > > > May I ask again: > > > > How do we find out who the members of the Ports Secteam are? > > > > How do we join the team? > > Anyone? > I really hope this can

Re: New pkg audit / vuln.xml failures (php55, unzoo)

> On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > Crickets. > > May I ask again: > > How do we find out who the members of the Ports Secteam are? > > How do we join the team? Anyone? >> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery >> wrote: >>> I think the VUXML database needs

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery wrote: >> I think the VUXML database needs to be simpler to contribute to. Only a >> handful of committers feel comfortable touching the file. We have also >> had the wrong pervasive mentality

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 29 May, Robert Simmons wrote: > On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery wrote: >> I think the VUXML database needs to be simpler to contribute to. Only a >> handful of committers feel comfortable touching the file. We have also >> had the wrong pervasive mentality by committers and user

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should onl

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 28 May 2015 at 17:47, Bryan Drewery wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should only have an

Re: New pkg audit / vuln.xml failures (php55, unzoo)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/28/2015 11:31 AM, Mark Felder wrote: > > > On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: >> >> Personally I agree on all points. Our ports security regime is not >> working. > > I already communicated further with Roger off-list, but wou

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: > > Personally I agree on all points. Our ports security regime is not > working. I already communicated further with Roger off-list, but would like to point out that I *do* think there is a problem, but I don't think it's "the sky is fallin

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 5/28/2015 12:16 PM, Mark Felder wrote: > > > On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: >> >> I think the VUXML database needs to be simpler to contribute to. Only a >> handful of committers feel comfortable touching the file. > > We could use a very friendly user-facing form that t

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: > > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We could use a very friendly user-facing form that they can fill out to create a valid vuxml entry. And th

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Thu, May 28, 2015, at 11:57, Bryan Drewery wrote: > On 5/28/2015 11:47 AM, Bryan Drewery wrote: > > On 5/27/2015 12:40 PM, Roger Marquis wrote: > ... > > > This php one came up in the week and I almost > > "just fixed it", but doing those things burns me out as I have my own > > priorities. >

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 5/28/2015 11:47 AM, Bryan Drewery wrote: > On 5/27/2015 12:40 PM, Roger Marquis wrote: ... > This php one came up in the week and I almost > "just fixed it", but doing those things burns me out as I have my own > priorities. Once of which is maintaining the package builders for FreeBSD.org. On

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On 5/27/2015 12:40 PM, Roger Marquis wrote: >>> If you find a vulnerability such as a new CVE or mailing list >>> announcement please send it to the port maintainer and >>> as quickly as possible. They are whoefully >>> understaffed and need our help. > Mark Felder wrote: >> Who is "ports-secteam

Re: New pkg audit / vuln.xml failures (php55, unzoo)

> Mark Felder wrote: >> Who is "ports-secteam"? > > It was Xin Li who alerted me to the ports-sect...@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (sect...@freebsd.org) address noted on > . Also have to thank Remko Lodder for p

Re: New pkg audit / vuln.xml failures (php55, unzoo)

>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >> OpenBSD server operators) have no assurance that their systems are >> secure. > > Slow down here for a second. Where's the command-line tool on RedHat or > Debian that lists only the known vulnerable packages? In R

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Wed, May 27, 2015, at 12:40, Roger Marquis wrote: > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems ar

Re: New pkg audit / vuln.xml failures (php55, unzoo)

I found the ports security reporting without issues http://www.freebsd.org/security/reporting.html. Appears someone should read reporting page Instead of saying information is not correct. On May 27, 2015 12:40 PM, "Roger Marquis" wrote: > If you find a vulnerability such as a new CVE or mailing

Re: New pkg audit / vuln.xml failures (php55, unzoo)

If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and as quickly as possible. They are whoefully understaffed and need our help. Mark Felder wrote: Who is "ports-secteam"? It was Xin Li who alerted me to the ports-sect...@freebsd

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Sat, May 23, 2015, at 10:30, Roger Marquis wrote: > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Who is "ports-secteam"? There has bee

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Sun, May 24, 2015 at 12:53 AM, Xin Li wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > On 5/23/15 09:14, Jason Unovitch wrote: > > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > > wrote: > >> If you find a vulnerability such as a new CVE or mailing list > >> announcem

Re: New pkg audit / vuln.xml failures (php55, unzoo)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > wrote: >> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> as quickly as po

Re: New pkg audit / vuln.xml failures (php55, unzoo)

Please send these things to ports-sect...@freebsd.org so that they can have a look at these please. Thanks, Remko > On 23 May 2015, at 17:30, Roger Marquis wrote: > > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announ

Re: New pkg audit / vuln.xml failures (php55, unzoo)

On Sat, May 23, 2015 at 11:30 AM, Roger Marquis wrote: > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > secu

Re: New pkg audit / vuln.xml failures (php55, unzoo)

Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis : > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago >