Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-06-08 Thread Mark Felder
On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: > > On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > > Crickets. > > > > May I ask again: > > > > How do we find out who the members of the Ports Secteam are? > > > > How do we join the team? > > Anyone? > I really hope this can

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-06-08 Thread Roger Marquis
> On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > Crickets. > > May I ask again: > > How do we find out who the members of the Ports Secteam are? > > How do we join the team? Anyone? >> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery >> wrote: >>> I think the VUXML database needs

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-28 Thread Roger Marquis
Walter Parker wrote: > What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that > their systems are secure? An audit trail of CVE issues fixed, while a > good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-28 Thread Walter Parker
> Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" > To: "Mark Felder" > Cc: freebsd-po...@freebsd.org, freebsd-security@freebsd.org > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: > Content-Type: text/plain;

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-27 Thread Roger Marquis
> Mark Felder wrote: >> Who is "ports-secteam"? > > It was Xin Li who alerted me to the ports-sect...@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (sect...@freebsd.org) address noted on > . Also have to thank Remko Lodder for p

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-27 Thread Roger Marquis
>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >> OpenBSD server operators) have no assurance that their systems are >> secure. > > Slow down here for a second. Where's the command-line tool on RedHat or > Debian that lists only the known vulnerable packages? In R

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-24 Thread Kevin Oberman
On Sun, May 24, 2015 at 12:53 AM, Xin Li wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > On 5/23/15 09:14, Jason Unovitch wrote: > > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > > wrote: > >> If you find a vulnerability such as a new CVE or mailing list > >> announcem

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-24 Thread Xin Li
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > wrote: >> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> as quickly as po

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-23 Thread Remko Lodder
Please send these things to ports-sect...@freebsd.org so that they can have a look at these please. Thanks, Remko > On 23 May 2015, at 17:30, Roger Marquis wrote: > > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announ

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-23 Thread Andreas Andersson
Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis : > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago >

Re: New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-23 Thread Jason Unovitch
On Sat, May 23, 2015 at 11:30 AM, Roger Marquis wrote: > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > secu

New pkg audit / vuln.xml failures (php55, unzoo)

2015-05-23 Thread Roger Marquis
FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago ) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the POR

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Sevan / Venture37
On 18 May 2015 at 20:26, Mark Felder wrote: > I was just thinking it might be nice when you're committing a change to > a port to fix a CVE if there was a tag you can drop in the commit log to > tell ports-security if there is a need for an entry to vuln.xml. At > least those without experience ed

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Mark Felder
On Mon, May 18, 2015, at 14:01, Sevan / Venture37 wrote: > On 18 May 2015 at 19:06, Mark Felder wrote: > > > > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > >> Does anyone know what's going on with vuln.xml updates? Over the last > >> few weeks and months CVEs and application maili

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Sevan / Venture37
On 18 May 2015 at 19:06, Mark Felder wrote: > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in so

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Mark Felder
On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Roger Marquis
ports-secteam@ owns this file, not secteam@. Thanks for the pointer Bryan. I would hope that port vulnerability emails are forwarded from secteam@ to ports-secteam@, by policy, as the freebsd.org website is not clear on this. Either way at least I/we now know the right address/es. The team n

Re: pkg audit / vuln.xml failures

2015-05-18 Thread Bryan Drewery
On 5/17/2015 4:02 PM, Roger Marquis wrote: > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in

pkg audit / vuln.xml failures

2015-05-17 Thread Roger Marquis
Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to