Please send these things to ports-secteam at FreeBSD.org so that they
can have a look at these please.
Thanks,
Remko
> On 23 May 2015, at 17:30, Roger Marquis <marquis at roble.com> wrote:
>
> FYI regarding these new and significant failures of FreeBSD security
> policy and procedures.
>
> PHP55 vulnerabilities announced over a week ago
> <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have
still
> not been ported to lang/php55. You can, however, edit the Makefile,
> increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
> deinstall reinstall clean' to secure a server without waiting for the
> port to be updated. Older versions of PHP may also have unpatched
> vulnerabilities that are not noted in the vuln.xml database.
>
> New CVEs for unzoo (and likely zoo as well) have not yet shown up in
'pkg
> audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your
earliest
> convenience if you have these installed.
>
> HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
> depending on 'pkg audit' to report whether a server is secure it
should
> be noted that this method is no longer reliable.
>
> If you find a vulnerability such as a new CVE or mailing list
> announcement please send it to the port maintainer and
> <ports-secteam at FreeBSD.org> as quickly as possible. They are
whoefully
> understaffed and need our help. Though freebsd.org indicates that
> security alerts should be sent to <secteam at FreeBSD.org> this is
> incorrect. If the vulnerability is in a port or package send an alert to
> ports-secteam@ and NOT secteam@ as the secteam will generally not reply
> to your email or forward the alerts to ports-secteam.
>
> Roger
>
>> Does anyone know what's going on with vuln.xml updates? Over the
last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in some cases only showed up in
>> vuln.xml after several days and in other cases are still not listed
>> (despite email to the security team).
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder | remko at EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150523/566648d7/attachment.sig>