Re: New pkg audit FNs
Aloha, Why not teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages? Doing so would also provide a workaround for VuXML entries cancelled to reduce bloat. I agree, pkg-audit needs to be taught to do that. Along those lines, we could create a port for cvechecker: https://github.com/sjvermeu/cvechecker But both solutions only handle installed packages. We would still need something to alert us to CVEs in non-installed software, I think. Also, I've just looked and it seems only a little over 1000 ports have CPE strings. Adding something to portlint that warned ports developers to add any needed CPE info would be helpful. I think that type of warning has helped us improve LICENSE entries. One more thought on this topic: a cvececker isn't enough. Looking at security updates of piwik, gitlab, phpmailer and many more: most of the security issues fixed never got an CVE entry. But of course any of the issues could be exploited in one or another way. But i think cvechecker is a step in the right direction. pkg audit is incredible helpful even with its current restrictions! Greetings, Torsten ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Am 10.10.17 um 00:03 schrieb Steve Wills: > Hi, > > On 10/09/2017 17:55, Jan Beich wrote: >> Why not >> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* >> packages? >> Doing so would also provide a workaround for VuXML entries cancelled >> to reduce bloat. > > I agree, pkg-audit needs to be taught to do that. Along those lines, we > could create a port for cvechecker: > > https://github.com/sjvermeu/cvechecker I have a mostly working port of cvechecker, which I plan to commit soonish. Regards, STefan ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Hi, On 10/09/2017 17:55, Jan Beich wrote: Steve Willswrites: Hi, On 10/09/2017 16:34, Jan Beich wrote: Matthew Seaman writes: On 09/10/2017 16:57, Roger Marquis wrote: Can anyone say what mechanisms the ports-security team might have in place to monitor CVEs and port software versions? I've been hacking at a prototype for scanning what I can find: https://github.com/swills/nvd_to_new_vuxml Wouldn't that encourage copypasta, exacerbating filesize issue? The VuXML data does need to be split up and all tools that process it need to be taught to deal with multiple files. Why not teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages? Doing so would also provide a workaround for VuXML entries cancelled to reduce bloat. I agree, pkg-audit needs to be taught to do that. Along those lines, we could create a port for cvechecker: https://github.com/sjvermeu/cvechecker But both solutions only handle installed packages. We would still need something to alert us to CVEs in non-installed software, I think. Also, I've just looked and it seems only a little over 1000 ports have CPE strings. Adding something to portlint that warned ports developers to add any needed CPE info would be helpful. I think that type of warning has helped us improve LICENSE entries. Steve ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Steve Willswrites: > Hi, > > On 10/09/2017 16:34, Jan Beich wrote: >> Matthew Seaman writes: >> >>> On 09/10/2017 16:57, Roger Marquis wrote: >>> Can anyone say what mechanisms the ports-security team might have in place to monitor CVEs and port software versions? > > I've been hacking at a prototype for scanning what I can find: > > https://github.com/swills/nvd_to_new_vuxml Wouldn't that encourage copypasta, exacerbating filesize issue? Why not teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages? Doing so would also provide a workaround for VuXML entries cancelled to reduce bloat. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Hi, On 10/09/2017 16:34, Jan Beich wrote: Matthew Seamanwrites: On 09/10/2017 16:57, Roger Marquis wrote: Can anyone say what mechanisms the ports-security team might have in place to monitor CVEs and port software versions? I've been hacking at a prototype for scanning what I can find: https://github.com/swills/nvd_to_new_vuxml It's more of a proof of concept than anything. The entry for this issue is still incomplete though, and the web page for it lists it as "waiting for analysis": https://nvd.nist.gov/vuln/detail/CVE-2017-12617 The reason I ask is CVE-2017-12617 was announced almost a week ago yet there's no mention of it in the vulnerability database The tomcat8 It looks like it's there to me: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185=451415 https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html And added days ago. port's Makefile also still points to the older, vulnerable version. True, the maintainer needs to update it. I've copied him on this message. Tomcat is one of those popular, internet-facing applications that sites need to check and/or update quickly when CVEs are released and most admins probably don't expect "pkg audit" to throw false negatives. Ports-secteam (and secteam, for that matter) will update VuXML when they know about vulnerabilities that affect FreeBSD ports, however the usual mechanism is that the port maintainer either updates VuXML themselves directly or tells the appropriate people that there are vulnerabilities that need to be recorded. Correct, but it doesn't have to be the port maintainer, anyone can submit a bug report with a patch to ports/security/vuxml/vuln.xml What happened to querying CVE database using CPE strings? ENOTIME is a common disease in volunteer projects, ports-secteam@ is no exception. Finding missing entries is trivial if one looks at Debian tracker. Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which are fixed in the port. https://wiki.freebsd.org/Ports/CPE Indeed, I've wanted to try matching up ports/packages to the CVE entries by using CPE data. I will try to look at that again, but as always patches welcome. I'll try to add the missing tiff entries and any others anyone cares to point out. Steve ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Matthew Seamanwrites: > On 09/10/2017 16:57, Roger Marquis wrote: > >> The reason I ask is CVE-2017-12617 was announced almost a week ago yet >> there's no mention of it in the vulnerability database The tomcat8 >> port's Makefile also still points to the older, vulnerable version. >> Tomcat is one of those popular, internet-facing applications that sites >> need to check and/or update quickly when CVEs are released and most >> admins probably don't expect "pkg audit" to throw false negatives. > > Ports-secteam (and secteam, for that matter) will update VuXML when they > know about vulnerabilities that affect FreeBSD ports, however the usual > mechanism is that the port maintainer either updates VuXML themselves > directly or tells the appropriate people that there are vulnerabilities > that need to be recorded. What happened to querying CVE database using CPE strings? ENOTIME is a common disease in volunteer projects, ports-secteam@ is no exception. Finding missing entries is trivial if one looks at Debian tracker. Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which are fixed in the port. https://wiki.freebsd.org/Ports/CPE ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
On 09/10/2017 16:57, Roger Marquis wrote: > The reason I ask is CVE-2017-12617 was announced almost a week ago yet > there's no mention of it in the vulnerability database The tomcat8 > port's Makefile also still points to the older, vulnerable version. > Tomcat is one of those popular, internet-facing applications that sites > need to check and/or update quickly when CVEs are released and most > admins probably don't expect "pkg audit" to throw false negatives. Ports-secteam (and secteam, for that matter) will update VuXML when they know about vulnerabilities that affect FreeBSD ports, however the usual mechanism is that the port maintainer either updates VuXML themselves directly or tells the appropriate people that there are vulnerabilities that need to be recorded. Ports-secteam do not try and track CVEs for everything in the ports: that's probably unfeasible given that it's a volunteer effort. The latest tomcat advisories being missing from VuXML is a symptom of the perennial problem: nobody stepping up to do the work. pkg-audit(8) has been pretty good at reporting problems, but it always has been a best-efforts thing, and there's no guarrantee it will be comprehensive. Cheers, Matthew ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: New pkg audit FNs
Hello, They go by the public cve announcements. The audit db might be slow on updatingBut really you should be following CVEs for any software you use yourself that is mission critical On Oct 9, 2017 11:01 AM, "Roger Marquis"wrote: > Can anyone say what mechanisms the ports-security team might have in > place to monitor CVEs and port software versions? > > The reason I ask is CVE-2017-12617 was announced almost a week ago yet > there's no mention of it in the vulnerability database The tomcat8 > port's Makefile also still points to the older, vulnerable version. > Tomcat is one of those popular, internet-facing applications that sites > need to check and/or update quickly when CVEs are released and most > admins probably don't expect "pkg audit" to throw false negatives. > > Tomcat is just one of many apps, however, so concern regarding the > validity of FreeBSD's vulnerability database is larger than this CVE. > We are concerned about update processes and procedures, especially > considering how this topic has come up in the past (for different apps). > > Roger Marquis > ___ > freebsd-secur...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " > ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
New pkg audit FNs
Can anyone say what mechanisms the ports-security team might have in place to monitor CVEs and port software versions? The reason I ask is CVE-2017-12617 was announced almost a week ago yet there's no mention of it in the vulnerability database The tomcat8 port's Makefile also still points to the older, vulnerable version. Tomcat is one of those popular, internet-facing applications that sites need to check and/or update quickly when CVEs are released and most admins probably don't expect "pkg audit" to throw false negatives. Tomcat is just one of many apps, however, so concern regarding the validity of FreeBSD's vulnerability database is larger than this CVE. We are concerned about update processes and procedures, especially considering how this topic has come up in the past (for different apps). Roger Marquis ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"