Re: Missing fixes for various ports in Q4 branch?
On 2017-12-05 12:32, Patrick M. Hausen wrote: We relied on just updating the branch every night and running poudriere ... looks like I should implement something around pkg audit that sends us daily status reports. Yes, but note that pkgaudit depends on VuXML which is also not up to date (it's on the best effort basis just like MFH). There's some effort going on to automate CVE entries, but until that's implemented (and if at all, as automation depends on CPE which many ports do not have), I'd suggest tracking CVEs independently in order to be best informed. Following linux distros secvuln announcements (Canonical's, RedHat's, Debian's) is a good start, so is being subscribed to oss-seclist, and of course the NVD or Mitre feeds themselves. * https://usn.ubuntu.com/usn/rss.xml * https://www.debian.org/security/dsa * https://cve.mitre.org/ It'd be very helpful if bug reports would be filed on FreeBSD's bugzilla (https://bugs.freebsd.org) tagged with keyword "security" if any undocumented vulns (not submitted to VuXML) are found. -- Vlad K. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Missing fixes for various ports in Q4 branch? (was: MySQL 5.6)
> Am 05.12.2017 um 12:05 schrieb Patrick M. Hausen: > PHP 5.6 is 5.6.31 in Q4 with CVE-2016-1283 and 5.6.32 in HEAD. > Update to HEAD 4 weeks ago. > > Curl is behind, too - though this fix was committed to HEAD just 2 days ago. And graphics/OpenEXR received security updates in HEAD 4 days ago. I assumed merging from HEAD to quarterly for security issues was automatic? We relied on just updating the branch every night and running poudriere ... looks like I should implement something around pkg audit that sends us daily status reports. Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Missing fixes for various ports in Q4 branch? (was: MySQL 5.6)
Hi all, > Am 05.12.2017 um 11:55 schrieb Kurt Jaeger: > > Hi! > >> I thought quarterly ports branches would receive security fixes from >> HEAD but no other version bumps. >> >> If this is correct, then why is MySQL 5.6 in Q4 one version behind HEAD >> (updated 6 weeks ago) and with all the critical security issues still >> present? > > Maintainer just committed the merge from HEAD to quarterly. > > Thanks for the heads-up. Sometimes things slip through. OK ... in that case ... PHP 5.6 is 5.6.31 in Q4 with CVE-2016-1283 and 5.6.32 in HEAD. Update to HEAD 4 weeks ago. Curl is behind, too - though this fix was committed to HEAD just 2 days ago. I'll routinely use `pkg audit` after building a new master image for our hosting from now on. Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"