freebsd security - May 2015 - pkg audit / vuln.xml failures

On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
> Does anyone know what's going on with vuln.xml updates?  Over the last
> few weeks and months CVEs and application mailing lists have announced
> vulnerabilities for several ports that in some cases only showed up in
> vuln.xml after several days and in other cases are still not listed
> (despite email to the security team).
> 
> Is there a URL outlining the policies and procedures of vuln.xml
> maintenance?
> 
I am also interested. I know there is a desire to leverage CPE in the
future, but I've seen CPE entries take weeks to show up. Our vuln.xml
maintenance has always been pretty solid. Is there a lack of manpower
right now? Are there notices/reports not being processed?

How can we help?

On 18 May 2015 at 19:06, Mark Felder <feld at freebsd.org>
wrote:
>
>
> On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
>> Does anyone know what's going on with vuln.xml updates?  Over the
last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in some cases only showed up in
>> vuln.xml after several days and in other cases are still not listed
>> (despite email to the security team).
>>
>> Is there a URL outlining the policies and procedures of vuln.xml
>> maintenance?
>>
>
> I am also interested. I know there is a desire to leverage CPE in the
> future, but I've seen CPE entries take weeks to show up. Our vuln.xml
> maintenance has always been pretty solid. Is there a lack of manpower
> right now? Are there notices/reports not being processed?
>
> How can we help?
Bug reports with notice of new additions just to give a heads up at the least.


Sevan / Venture37