Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 11 June 2015 at 06:47, Matthew Seaman matt...@freebsd.org wrote: On 11/06/2015 09:15, Mark Linimon wrote: On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: Hrm... Numerous inquiries regarding this and no response is somewhat disappointing. This is not an excuse, but a number of us are at BSDCan and distracted. There have been discussions about how to solve the larger ports security problem but no conclusive decision yet. It is, however, a hot topic. I'd like to add that the situation with ports-secteam -- not having a published list of members and so forth -- has come to the attention of the Core team and things are in motion to improve the situation. In the mean time, Xin Li has posted some useful information to freebsd-security@ -- There is also https://reviews.freebsd.org/D2761 for adding the list of team members to the https://www.freebsd.org/administration.html page -- Eitan Adler ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 11/06/2015 09:15, Mark Linimon wrote: On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: Hrm... Numerous inquiries regarding this and no response is somewhat disappointing. This is not an excuse, but a number of us are at BSDCan and distracted. There have been discussions about how to solve the larger ports security problem but no conclusive decision yet. It is, however, a hot topic. I'd like to add that the situation with ports-secteam -- not having a published list of members and so forth -- has come to the attention of the Core team and things are in motion to improve the situation. In the mean time, Xin Li has posted some useful information to freebsd-security@ -- https://lists.freebsd.org/pipermail/freebsd-security/2015-June/008458.html Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Wed, Jun 10, 2015 at 11:45:29PM -0600, Janky Jay, III wrote: Hrm... Numerous inquiries regarding this and no response is somewhat disappointing. This is not an excuse, but a number of us are at BSDCan and distracted. There have been discussions about how to solve the larger ports security problem but no conclusive decision yet. It is, however, a hot topic. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hrm... Numerous inquiries regarding this and no response is somewhat disappointing. If anyone gets any feedback from anywhere else, please update the rest of us (BSDCan contacts/update included... I can't make it... :( ) Regards, Janky Jay, III On 06/08/2015 09:34 PM, Mark Felder wrote: On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote: Crickets. May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team? Anyone? I really hope this can be resolved face-to-face at BSDCan... ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlV5IHUACgkQGK3MsUbJZn5JGACbBzSKVHZJDukPpnyEOIh8/WZD aIMAoII9Q0V7iS1gDME1okX3BL864Qb7 =tVRd -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote: Crickets. May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team? Anyone? On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery bdrew...@freebsd.org wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Once the team has new and energized members, I would envision the team then working through the problems that have been outlined in this thread and putting together a plan for fixing them. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote: Crickets. May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team? Anyone? I really hope this can be resolved face-to-face at BSDCan... ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote: On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery bdrew...@freebsd.org wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Once the team has new and energized members, I would envision the team then working through the problems that have been outlined in this thread and putting together a plan for fixing them. Crickets. May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 29 May, Robert Simmons wrote: On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery bdrew...@freebsd.org wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Ports Secteam really should be documented here: https://www.freebsd.org/administration.html, but it is not. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 28 May 2015 at 17:47, Bryan Drewery bdrew...@freebsd.org wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. May a I suggest a more pragmatic format of package+version, type of issue, url for further info. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. There seems to be a lot of eyes on the ports-bugs@ list from the community, a heads up about vulnerabilities via the bug tracker may help in the meantime? Sevan / Venture37 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery bdrew...@freebsd.org wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Once the team has new and energized members, I would envision the team then working through the problems that have been outlined in this thread and putting together a plan for fixing them. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/28/2015 11:31 AM, Mark Felder wrote: On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: Personally I agree on all points. Our ports security regime is not working. I already communicated further with Roger off-list, but would like to point out that I *do* think there is a problem, but I don't think it's the sky is falling / don't use FreeBSD yet. This is a solvable problem that simply requires some defined processes and participation/organization. It seems like we're talking to ourselves here, so do we need to hijack the ports-secteam@ alias and start figuring things out ourselves? It appears no one has been able to join the ports-secteam@ list, but if there is way for me to contribute in any way, I'd certainly like to be on the list as well. If anyone knows of a way to join this list, please let me know. Regards, Janky Jay, III -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlVniZsACgkQGK3MsUbJZn78mQCfYA9HqU8/94CqMfle8wbKdAdS syQAnjp+Hptkc8hsfbh4bWzFEJpI2Zi7 =dvQG -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 5/28/2015 12:16 PM, Mark Felder wrote: On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We could use a very friendly user-facing form that they can fill out to create a valid vuxml entry. And then the entry could create a github pull request. It would be very easy then to accept or reject the request, and accepted requests could be auto-committed to the ports tree or wherever it needs to go so pkgaudit can pull it. This would be leaps and bounds better than what we have. It would simplify the process and permit crowdsourcing CVE reporting. Everybody wins. swills@ wrote up something a few years ago for an html form. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Thu, May 28, 2015, at 11:57, Bryan Drewery wrote: On 5/28/2015 11:47 AM, Bryan Drewery wrote: On 5/27/2015 12:40 PM, Roger Marquis wrote: ... This php one came up in the week and I almost just fixed it, but doing those things burns me out as I have my own priorities. Once of which is maintaining the package builders for FreeBSD.org. On the topic of security we used to only provide packages weekly, but have recently stepped up to almost-daily. I have been meaning to get a general announcement out about this. This is great news! I knew this was on the radar, but didn't know it was happening yet. Thank you for your hard work!!! ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: Personally I agree on all points. Our ports security regime is not working. I already communicated further with Roger off-list, but would like to point out that I *do* think there is a problem, but I don't think it's the sky is falling / don't use FreeBSD yet. This is a solvable problem that simply requires some defined processes and participation/organization. It seems like we're talking to ourselves here, so do we need to hijack the ports-secteam@ alias and start figuring things out ourselves? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Thu, May 28, 2015, at 11:47, Bryan Drewery wrote: I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We could use a very friendly user-facing form that they can fill out to create a valid vuxml entry. And then the entry could create a github pull request. It would be very easy then to accept or reject the request, and accepted requests could be auto-committed to the ports tree or wherever it needs to go so pkgaudit can pull it. This would be leaps and bounds better than what we have. It would simplify the process and permit crowdsourcing CVE reporting. Everybody wins. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 5/27/2015 12:40 PM, Roger Marquis wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Mark Felder wrote: Who is ports-secteam? It was Xin Li who alerted me to the ports-sect...@freebsd.org address i.e., as being distinct from the FreeBSD Security Team (sect...@freebsd.org) address noted on https://www.freebsd.org/security/. There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis Personally I agree on all points. Our ports security regime is not working. As someone who has personally jumped on updating ports during security crisis, I have found it difficult to get others engaged. I would usually implore others to just fix it and once it was not done after a period of time I would do it. I don't have time to react to every security incident. This php one came up in the week and I almost just fixed it, but doing those things burns me out as I have my own priorities. I'm not on ports-secteam, but I did ask to join last year and had no response. The request was even about recruiting more help. I think the VUXML database needs to be simpler to contribute to. Only a handful of committers feel comfortable touching the file. We have also had the wrong pervasive mentality by committers and users that the vuxml database should only have an entry if there is a committed fix. This is totally wrong. These CVE are _already public_ in all of these cases. Users deserve to know that there is a known issue with a package they have installed. I can understand how the mentality grew to what it is with some people, but the fact that there is not an update doesn't change that the user's system is insecure and needs to be dealt with. If the tool can't reliably report issues then it is not worth trusting. TL;DR; the file needs to be simpler. I know there is an effort to use CPE but I'm not too familiar with where it is going. As for maintainers tracking upstream mailing lists, this is hard. I'm subscribed to a lot of lists and can't keep up with all of the traffic. The RedHat security team and reporting is very impressive. Don't forget that they are a funded company though. Perhaps the FreeBSD Foundation needs to fund a fulltime security officer that is devoted to both Ports and Src. Just the Ports piece is easily a fulltime job. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On 5/28/2015 11:47 AM, Bryan Drewery wrote: On 5/27/2015 12:40 PM, Roger Marquis wrote: ... This php one came up in the week and I almost just fixed it, but doing those things burns me out as I have my own priorities. Once of which is maintaining the package builders for FreeBSD.org. On the topic of security we used to only provide packages weekly, but have recently stepped up to almost-daily. I have been meaning to get a general announcement out about this. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: New pkg audit / vuln.xml failures (php55, unzoo)
If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Mark Felder wrote: Who is ports-secteam? It was Xin Li who alerted me to the ports-sect...@freebsd.org address i.e., as being distinct from the FreeBSD Security Team (sect...@freebsd.org) address noted on https://www.freebsd.org/security/. There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Wed, May 27, 2015, at 12:40, Roger Marquis wrote: * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? I don't believe either one provides such a thing equivalent to pkgaudit out of the box. On Yum based distros you have to yum install yum-security and then you can run yum updateinfo list sec or yum list-sec. Considering the number of failed attempts at backporting patches that I've seen I wouldn't consider this my only safety blanket. So in that case there's a tool that may solve your specific concern in a trivial way, and that's great. But that's not the end of the story. That command won't list vulnerabilities until they have a patch released. Let's look at CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-0209 Release date was March 23rd. Here's the commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a Authored on February 9th, then embargoed it would seem. It was publicly committed to git on February 25th. Redhat has a bug on this, opened February 26th: https://bugzilla.redhat.com/show_bug.cgi?id=1196737 But still, it wasn't addressed until March 23rd! That's quite a while to have vulnerable systems that aren't patched and not showing results in yum updateinfo list sec. At least we have the capability to update vuxml and notify people before a patch is ready or the packages are built and distributed to the package mirrors so they can take any required remediation steps they require. Even so, this is just a tool to help admins. It's the admin's responsibility to know what is on their systems and to sign up to relevant security announcement mailing lists. Sure, you don't want to do that for everything installed on your OS, but at least any externally facing services you are concerned about. And let's not forget all of the missed CVEs that get late assignments and then finally trickle down to RH/Debian due to the fact that they don't have a rolling-release packaging strategy. Search for posts by Kurt Seifried on ossec mailing list if you're curious. Additionally, utilizing CPE data as a source of known vulnerabilities is not a perfect solution either because I've seen CVEs take weeks to hit the database. The grass is always greener... or is it? Let's just concentrate on how to improve things here and not worry about how they're handling security issues because they have their own unique problems to solve. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
I found the ports security reporting without issues http://www.freebsd.org/security/reporting.html. Appears someone should read reporting page Instead of saying information is not correct. On May 27, 2015 12:40 PM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Mark Felder wrote: Who is ports-secteam? It was Xin Li who alerted me to the ports-sect...@freebsd.org address i.e., as being distinct from the FreeBSD Security Team (sect...@freebsd.org) address noted on https://www.freebsd.org/security/. There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
* operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? In RedHat you can create a security repo list ( grep -security /etc/apt/sources.list), install the security plugin (yum install yum-plugin-security) and 'yum check-update --security' for the same functionality as 'pkg audit -F'. Debian is even more obscure (apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list --just-print). FreeBSD 'pkg audit' is much cleaner but what difference does that make, really, when you have a vulnerable package that isn't in the database? But that's not the end of the story. That command won't list vulnerabilities until they have a patch released. Let's look at CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-0209 Release date was March 23rd. No question there's variability in bugfix timeliness, especially for DOS-type bugs like CVE-2015-0209. FreeBSD ports maintainers are also able to commit patches and version updates much more quickly than their binary-only competitors, as noted with the php55/Makefile tweak. In the past that's what made FreeBSD a more secure OS to host applications on. But that's not the main issue this thread has been about. The issue that really matters from a security perspective is the completeness of the vulnerability database, vuln.xml in our case. The grass is always greener... or is it? Let's just concentrate on how to improve things here and not worry about how they're handling security issues because they have their own unique problems to solve. I must say I am disappointed in the response to this serious and significant issue. My Redhat using co-workers, OTOH, are no doubt eating it up. Problem is I'm not the only one who has to defend their business unit's use of FreeBSD in a corporation that has otherwise nearly standardized on Redhat (and RH security, bash notwithstanding). Roger ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Mark Felder wrote: Who is ports-secteam? It was Xin Li who alerted me to the ports-sect...@freebsd.org address i.e., as being distinct from the FreeBSD Security Team (sect...@freebsd.org) address noted on https://www.freebsd.org/security/. Also have to thank Remko Lodder for pointing out the ports-secteam@ address. Should also note that while the ports-secteam@ is not mentioned in freebsd.org/security or various other places where it probably should be (like the Types of Problem Reports page /doc/en_US.ISO8859-1/articles/pr-guidelines/pr-types.html) it is noted in the Port Specific FAQ /doc/ en_US.ISO8859-1/articles/pr-guidelines/pr-types.html and on the port mainters' page /ports/ports-mgmt.html. Roger There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Sat, May 23, 2015, at 10:30, Roger Marquis wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Who is ports-secteam? There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Sun, May 24, 2015 at 12:53 AM, Xin Li delp...@delphij.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger Can our bugzilla have a button or something similar to tag bugs with CVE entries and adding ports-secteam to the cc list? Better would be a scan of bug submissions for the string CVE-. (I have never looked at bugzilla other than to use it to search or submit bugs, so have no idea if this is feasible.) I know that this would generate false positives, but it appears to me that most all such could be dismissed very quickly and would be better than having serious security issues lost in the heap of bug reports. I know that when I opened a PR (pre-bugzilla) for a significant security issue in a popular port (ImageMagick) a few years ago, even though I marked it as critical, it was almost 2 weeks before the port was updated, probably because the maintainer was just routinely updating the port as the commit did not reference the vulnerability, at all. It was a rather gaping hole, too. The PR was eventually closed as very stale, as it should have been by then. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 I've added the information to the main entry and discarded virtualbox specific text from Oracle. Since Xen is also affected I have applied the fix to xen-tools; the 2015Q2 branch version is not affected as Dom0 support is not there so I haven't merged the change there. databases/cassandra -- https://bugs.freebsd.org/199091 Committed, thanks! I've assigned the PR to the maintainer for the port update. databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) I've assigned the PR to the maintainer. We should probably mark the above two ports as FORBIDDEN and/or DEPRECATED. sysutils/py-salt -- https://bugs.freebsd.org/200172 This was already done by xmj@. This one seems serious, can the fix be backported or should the port merged to 2015Q2 branch? vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 The vuxml entry was committed by jbeich@ and port updated by pi@. I think the update should be merged to quarterly branch. both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 This was done by pi@. I think this fix should also go to 2015Q2 branch? Thanks everyone working on these issues and thanks for taking time preparing the patches. Cheers, -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX 3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7 M7b0T5Y6hN425BmaPaeA =tvL9 -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Please send these things to ports-sect...@freebsd.org so that they can have a look at these please. Thanks, Remko On 23 May 2015, at 17:30, Roger Marquis marq...@roble.com wrote: FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team). ___ freebsd-secur...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org -- /\ Best regards, | re...@freebsd.org \ / Remko Lodder | remko@EFnet Xhttp://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News signature.asc Description: Message signed with OpenPGP using GPGMail
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 databases/cassandra -- https://bugs.freebsd.org/199091 databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) sysutils/py-salt -- https://bugs.freebsd.org/200172 vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 Jason ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis marq...@roble.com: FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team). ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
