Re: Missing fixes for various ports in Q4 branch?

2017-12-05 Thread Vlad K. 

On 2017-12-05 12:32, Patrick M. Hausen wrote:


We relied on just updating the branch every night and running
poudriere ... looks
like I should implement something around pkg audit that sends us daily 
status

reports.


Yes, but note that pkgaudit depends on VuXML which is also not up to 
date (it's on the best effort basis just like MFH). There's some effort 
going on to automate CVE entries, but until that's implemented (and if 
at all, as automation depends on CPE which many ports do not have), I'd 
suggest tracking CVEs independently in order to be best informed. 
Following linux distros secvuln announcements (Canonical's, RedHat's, 
Debian's) is a good start, so is being subscribed to oss-seclist, and of 
course the NVD or Mitre feeds themselves.


* https://usn.ubuntu.com/usn/rss.xml
* https://www.debian.org/security/dsa
* https://cve.mitre.org/

It'd be very helpful if bug reports would be filed on FreeBSD's bugzilla 
(https://bugs.freebsd.org) tagged with keyword "security" if any 
undocumented vulns (not submitted to VuXML) are found.




--
Vlad K.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Missing fixes for various ports in Q4 branch? (was: MySQL 5.6)

2017-12-05 Thread Patrick M. Hausen 

> Am 05.12.2017 um 12:05 schrieb Patrick M. Hausen :
> PHP 5.6 is 5.6.31 in Q4 with CVE-2016-1283 and 5.6.32 in HEAD.
> Update to HEAD 4 weeks ago.
> 
> Curl is behind, too - though this fix was committed to HEAD just 2 days ago.

And graphics/OpenEXR received security updates in HEAD 4 days ago.

I assumed merging from HEAD to quarterly for security issues was automatic?

We relied on just updating the branch every night and running poudriere ... 
looks
like I should implement something around pkg audit that sends us daily status
reports.

Kind regards,
Patrick
-- 
punkt.de GmbH   Internet - Dienstleistungen - Beratung
Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe i...@punkt.de   http://punkt.de
AG Mannheim 108285  Gf: Juergen Egeling

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Missing fixes for various ports in Q4 branch? (was: MySQL 5.6)

2017-12-05 Thread Patrick M. Hausen 
Hi all,

> Am 05.12.2017 um 11:55 schrieb Kurt Jaeger :
> 
> Hi!
> 
>> I thought quarterly ports branches would receive security fixes from
>> HEAD but no other version bumps.
>> 
>> If this is correct, then why is MySQL 5.6 in Q4 one version behind HEAD
>> (updated 6 weeks ago) and with all the critical security issues still 
>> present?
> 
> Maintainer just committed the merge from HEAD to quarterly.
> 
> Thanks for the heads-up. Sometimes things slip through.

OK ... in that case ...

PHP 5.6 is 5.6.31 in Q4 with CVE-2016-1283 and 5.6.32 in HEAD.
Update to HEAD 4 weeks ago.

Curl is behind, too - though this fix was committed to HEAD just 2 days ago.


I'll routinely use `pkg audit` after building a new master image for our hosting
from now on.


Kind regards,
Patrick
-- 
punkt.de GmbH   Internet - Dienstleistungen - Beratung
Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe i...@punkt.de   http://punkt.de
AG Mannheim 108285  Gf: Juergen Egeling

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"