freebsd security - Aug 2015 - Quarterly packages and security updates...

A recently quarterly report:

    https://www.freebsd.org/news/status/report-2015-04-2015-06.html

and last week's BSD Now episode both hint that quarterly packages will be
the
default for 10.2. I just looked, and sure enough:

    https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup

So, my issue here is that I run quarterly branches, and they are awful in
terms of security updates. With FreeBSD 10.2 imminent, are we expecting users
to install vulnerable versions of things like Firefox right off the bat, and
then wait for whatever fixes exist at the time the next quarterly branch is
cut?

A pkg audit against an up-to-date package set is pretty disappointing:

/usr/ports# pkg audit -F
vulnxml file up-to-date
libvpx-1.4.0 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

libxul-38.1.0 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

sox-14.4.2 is vulnerable:
sox -- memory corruption vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2014-8108
CVE: CVE-2014-3580
WWW: https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- DoS vulnerabilities
CVE: CVE-2015-0251
CVE: CVE-2015-0248
CVE: CVE-2015-0202
WWW: https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html

subversion-1.8.10_3 is vulnerable:
subversion -- multiple vulnerabilities
CVE: CVE-2015-3187
CVE: CVE-2015-3184
WWW: https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html

firefox-39.0,1 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4495
WWW: https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html

firefox-39.0,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4477
CVE: CVE-2015-4475
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

5 problem(s) in the installed packages found.

-- 
Mason Loring Bliss             mason at blisses.org            Ewige
Blumenkraft!
(if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene
I

On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss wrote:
> subversion-1.8.10_3 is vulnerable:
To clarify, I had this one artificially held back. The up to date quarterly
package vulnerability list for Subversion looks like this:

subversion-1.8.13_2 is vulnerable:
subversion -- multiple vulnerabilities
CVE: CVE-2015-3187
CVE: CVE-2015-3184
WWW:
https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html

-- 
Mason Loring Bliss          mason at blisses.org          Ewige Blumenkraft!
awake ? sleep : random() & 2 ? dream : sleep; -- Hamlet, Act III, Scene I

[info@ removed, not sure why that email address was included.]

On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss
wrote:
> A recently quarterly report:
> 
>     https://www.freebsd.org/news/status/report-2015-04-2015-06.html
> 
> and last week's BSD Now episode both hint that quarterly packages will
be the
> default for 10.2. I just looked, and sure enough:
> 
>    
https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup
> 
> So, my issue here is that I run quarterly branches, and they are awful in
> terms of security updates. With FreeBSD 10.2 imminent, are we expecting
users
> to install vulnerable versions of things like Firefox right off the bat,
and
> then wait for whatever fixes exist at the time the next quarterly branch is
> cut?
> 
The reason this change was made is because the quarterly package set
receives less intrusive updates, but it does still receive security
updates.

This is documented in the 10.2-RELEASE release notes, which also shows
how to change back to the 'latest' branch, if you so desire.

https://www.freebsd.org/releases/10.2R/relnotes.html#releng-changes

Glen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150813/8874924e/attachment.bin>

On Thu, Aug 13, 2015, at 15:20, Mason Loring Bliss
wrote:
> A recently quarterly report:
> 
>     https://www.freebsd.org/news/status/report-2015-04-2015-06.html
> 
> and last week's BSD Now episode both hint that quarterly packages will
be
> the
> default for 10.2. I just looked, and sure enough:
> 
>    
https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup
> 
> So, my issue here is that I run quarterly branches, and they are awful in
> terms of security updates. With FreeBSD 10.2 imminent, are we expecting
> users
> to install vulnerable versions of things like Firefox right off the bat,
> and
> then wait for whatever fixes exist at the time the next quarterly branch
> is
> cut?
> 
You should not see vulnerable packages in the quarterly branch unless
there is no public fix available. If you come across this type of
situation where it is fixed in HEAD but not in the quarterly branch
please email the maintainer and ports-secteam@ ASAP.
> A pkg audit against an up-to-date package set is pretty disappointing:
> 
> /usr/ports# pkg audit -F
> vulnxml file up-to-date
> libvpx-1.4.0 is vulnerable:
> libvpx -- multiple buffer overflows
> CVE: CVE-2015-4486
> CVE: CVE-2015-4485
> WWW:
> https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html
> 
> libxul-38.1.0 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4493
> CVE: CVE-2015-4492
> CVE: CVE-2015-4491
> CVE: CVE-2015-4490
> CVE: CVE-2015-4489
> CVE: CVE-2015-4488
> CVE: CVE-2015-4487
> CVE: CVE-2015-4484
> CVE: CVE-2015-4483
> CVE: CVE-2015-4482
> CVE: CVE-2015-4481
> CVE: CVE-2015-4480
> CVE: CVE-2015-4479
> CVE: CVE-2015-4478
> CVE: CVE-2015-4474
> CVE: CVE-2015-4473
> WWW:
> https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html
> 
This was handled here:
https://svnweb.freebsd.org/ports?view=revision&revision=394030
> sox-14.4.2 is vulnerable:
> sox -- memory corruption vulnerabilities
> WWW:
> https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html
> 
Sox has no public fix yet
> subversion-1.8.10_3 is vulnerable:
> subversion -- DoS vulnerabilities
> CVE: CVE-2014-8108
> CVE: CVE-2014-3580
> WWW:
> https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html
> 
> subversion-1.8.10_3 is vulnerable:
> subversion -- DoS vulnerabilities
> CVE: CVE-2015-0251
> CVE: CVE-2015-0248
> CVE: CVE-2015-0202
> WWW:
> https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html
> 
> subversion-1.8.10_3 is vulnerable:
> subversion -- multiple vulnerabilities
> CVE: CVE-2015-3187
> CVE: CVE-2015-3184
> WWW:
> https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html
> 
I can't speak to subversion at the moment
> firefox-39.0,1 is vulnerable:
> libvpx -- multiple buffer overflows
> CVE: CVE-2015-4486
> CVE: CVE-2015-4485
> WWW:
> https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html
> 
> firefox-39.0,1 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4495
> WWW:
> https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html
> 
> firefox-39.0,1 is vulnerable:
> mozilla -- multiple vulnerabilities
> CVE: CVE-2015-4493
> CVE: CVE-2015-4492
> CVE: CVE-2015-4491
> CVE: CVE-2015-4490
> CVE: CVE-2015-4489
> CVE: CVE-2015-4488
> CVE: CVE-2015-4487
> CVE: CVE-2015-4484
> CVE: CVE-2015-4483
> CVE: CVE-2015-4482
> CVE: CVE-2015-4481
> CVE: CVE-2015-4480
> CVE: CVE-2015-4479
> CVE: CVE-2015-4478
> CVE: CVE-2015-4477
> CVE: CVE-2015-4475
> CVE: CVE-2015-4474
> CVE: CVE-2015-4473
> WWW:
> https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html
> 
Quarterly branch has 40.0_4,1  which I linked above (r394030), so this
does not apply either.

Just look at the package mirror:
http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/

* firefox-40.0_4,1.txz
* subversion-1.8.13_2.txz
* libxul-38.2.0_2.txz

The packages are there, so I don't understand how you observe these
packages to still be vulnerable.

In short: DON'T PANIC. The ports-secteam is dedicated to making sure the
Quarterly branches are getting constant care and feeding. There has been
a lot of changes in the past couple months -- just look at the increase
of vuxml entries being fed in. 

Keep in mind that the less churn the quarterly branches have means the
packages can build faster. I can't make any promises and I'm not
involved in the package building architecture, but I expect you'll see
quarterly branches get ports/packages built and distributed to the
mirrors faster simply because it's less work to do so.