FYI regarding these new and significant failures of FreeBSD security
policy and procedures.
PHP55 vulnerabilities announced over a week ago
<https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still
not been ported to lang/php55. You can, however, edit the Makefile,
increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
deinstall reinstall clean' to secure a server without waiting for the
port to be updated. Older versions of PHP may also have unpatched
vulnerabilities that are not noted in the vuln.xml database.
New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg
audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest
convenience if you have these installed.
HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
depending on 'pkg audit' to report whether a server is secure it
should
be noted that this method is no longer reliable.
If you find a vulnerability such as a new CVE or mailing list
announcement please send it to the port maintainer and
<ports-secteam at FreeBSD.org> as quickly as possible. They are whoefully
understaffed and need our help. Though freebsd.org indicates that
security alerts should be sent to <secteam at FreeBSD.org> this is
incorrect. If the vulnerability is in a port or package send an alert to
ports-secteam@ and NOT secteam@ as the secteam will generally not reply
to your email or forward the alerts to ports-secteam.
Roger
> Does anyone know what's going on with vuln.xml updates? Over the last
> few weeks and months CVEs and application mailing lists have announced
> vulnerabilities for several ports that in some cases only showed up in
> vuln.xml after several days and in other cases are still not listed
> (despite email to the security team).