Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote: Crickets. May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team? Anyone? I really hope this can be resolved face-to-face at BSDCan... ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Walter Parker wrote: What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There is no assurance against zero-day vulnerabilities or vulns that are otherwise not published (outside of the NSA). That would be absolute security. In the context of relative security, however, assurance can perhaps be defined as being able to assume that CVEs released by the NIST, announced by code or other operating system maintainers or published by researchers or third parties such as Rapid7 and Tripwire are reflected in vuln.xml (after a reasonable timeframe). How much faster must FreeBSD respond for it to join the security assurance club of the major Linux vendors? Is this a paperwork issue or a process issue? We don't have much insight into the workings of FreeBSD's security teams so it appears to be a matter of policy. Would be great if Dag could comment here. The policies I would most like to know about are transparency-related i.e., published security-related procedures, projects and RFCs. Otherwise, what appears to be lacking is (additional) automation of the process of scanning CVEs and advisories by other organizations and subsequent prioritization, review and formatting for publication. There are several of us interested in contributing towards these goals, financially, codewise and otherwise, but it is distressingly unclear how. There are PRs of course, but if, say, someone wanted to contribute specifically to the process of automating vuln.xml updates or to donate specifically to the security teams Pointers gladly accepted. Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Date: Wed, 27 May 2015 14:35:41 -0700 From: Roger Marquis marq...@roble.com To: Mark Felder f...@freebsd.org Cc: freebsd-po...@freebsd.org, freebsd-security@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: mailman.91.1432814411.48534.freebsd-secur...@freebsd.org Content-Type: text/plain;charset=iso-8859-1 * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the security assurance club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
* operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? In RedHat you can create a security repo list ( grep -security /etc/apt/sources.list), install the security plugin (yum install yum-plugin-security) and 'yum check-update --security' for the same functionality as 'pkg audit -F'. Debian is even more obscure (apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list --just-print). FreeBSD 'pkg audit' is much cleaner but what difference does that make, really, when you have a vulnerable package that isn't in the database? But that's not the end of the story. That command won't list vulnerabilities until they have a patch released. Let's look at CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-0209 Release date was March 23rd. No question there's variability in bugfix timeliness, especially for DOS-type bugs like CVE-2015-0209. FreeBSD ports maintainers are also able to commit patches and version updates much more quickly than their binary-only competitors, as noted with the php55/Makefile tweak. In the past that's what made FreeBSD a more secure OS to host applications on. But that's not the main issue this thread has been about. The issue that really matters from a security perspective is the completeness of the vulnerability database, vuln.xml in our case. The grass is always greener... or is it? Let's just concentrate on how to improve things here and not worry about how they're handling security issues because they have their own unique problems to solve. I must say I am disappointed in the response to this serious and significant issue. My Redhat using co-workers, OTOH, are no doubt eating it up. Problem is I'm not the only one who has to defend their business unit's use of FreeBSD in a corporation that has otherwise nearly standardized on Redhat (and RH security, bash notwithstanding). Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Mark Felder wrote: Who is ports-secteam? It was Xin Li who alerted me to the ports-sect...@freebsd.org address i.e., as being distinct from the FreeBSD Security Team (sect...@freebsd.org) address noted on https://www.freebsd.org/security/. Also have to thank Remko Lodder for pointing out the ports-secteam@ address. Should also note that while the ports-secteam@ is not mentioned in freebsd.org/security or various other places where it probably should be (like the Types of Problem Reports page /doc/en_US.ISO8859-1/articles/pr-guidelines/pr-types.html) it is noted in the Port Specific FAQ /doc/ en_US.ISO8859-1/articles/pr-guidelines/pr-types.html and on the port mainters' page /ports/ports-mgmt.html. Roger There has been no Call For Help that I've ever seen. If people are needed to process these CVEs so they are entered into VUXML, sign me up to ports-secteam please. I believe that is part of the problem, or the multiple problems, that lead me to believe that FreeBSD is operating without the active involvement of a security officer. Specifically: * port vulnerability alerts sent to secteam@, as indicated on the /security/ page, are neither forwarded to ports-secteam@ for review nor returned to the sender with a note regarding the correct destination address, * the freebsd.org/security web page is not correct and not being updated, * aside from Xin nobody from either ports-secteam@ or secteam@ much less security-officer@ seems to be reading or participating in the security@ mailing list, * nobody @freebsd.org appears to be following CVE announcements and the maintainers of several high profile ports are also not following it or even their application's -announce list, * there appears to be no automated process to alert vuln.xml maintainers (ports-secteam@) of potential new port vulnerabilities, * offers of help to secteam@ and ports-secteam@ are neither replied to nor acted upon (except for Xin Li's request, thanks Xin!), * perhaps as a result the vuln.xml database is no longer reliable, and by extension, * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. This is a MAJOR CHANGE from just a couple of years ago which calls for an equally major heads-up to be sent to those running FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Sun, May 24, 2015 at 12:53 AM, Xin Li delp...@delphij.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger Can our bugzilla have a button or something similar to tag bugs with CVE entries and adding ports-secteam to the cc list? Better would be a scan of bug submissions for the string CVE-. (I have never looked at bugzilla other than to use it to search or submit bugs, so have no idea if this is feasible.) I know that this would generate false positives, but it appears to me that most all such could be dismissed very quickly and would be better than having serious security issues lost in the heap of bug reports. I know that when I opened a PR (pre-bugzilla) for a significant security issue in a popular port (ImageMagick) a few years ago, even though I marked it as critical, it was almost 2 weeks before the port was updated, probably because the maintainer was just routinely updating the port as the commit did not reference the vulnerability, at all. It was a rather gaping hole, too. The PR was eventually closed as very stale, as it should have been by then. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 I've added the information to the main entry and discarded virtualbox specific text from Oracle. Since Xen is also affected I have applied the fix to xen-tools; the 2015Q2 branch version is not affected as Dom0 support is not there so I haven't merged the change there. databases/cassandra -- https://bugs.freebsd.org/199091 Committed, thanks! I've assigned the PR to the maintainer for the port update. databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) I've assigned the PR to the maintainer. We should probably mark the above two ports as FORBIDDEN and/or DEPRECATED. sysutils/py-salt -- https://bugs.freebsd.org/200172 This was already done by xmj@. This one seems serious, can the fix be backported or should the port merged to 2015Q2 branch? vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 The vuxml entry was committed by jbeich@ and port updated by pi@. I think the update should be merged to quarterly branch. both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 This was done by pi@. I think this fix should also go to 2015Q2 branch? Thanks everyone working on these issues and thanks for taking time preparing the patches. Cheers, -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX 3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7 M7b0T5Y6hN425BmaPaeA =tvL9 -END PGP SIGNATURE- ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
On Sat, May 23, 2015 at 11:30 AM, Roger Marquis marq...@roble.com wrote: If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 databases/cassandra -- https://bugs.freebsd.org/199091 databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) sysutils/py-salt -- https://bugs.freebsd.org/200172 vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 Jason ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: New pkg audit / vuln.xml failures (php55, unzoo)
Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis marq...@roble.com: FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and ports-sect...@freebsd.org as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to sect...@freebsd.org this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team). ___ freebsd-po...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
