Re: New pkg audit FNs

[Torsten Zuehlsdorff]

Aloha,


Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary* 
packages?

Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.


I agree, pkg-audit needs to be taught to do that. Along those lines, we 
could create a port for cvechecker:


https://github.com/sjvermeu/cvechecker

But both solutions only handle installed packages.

We would still need something to alert us to CVEs in non-installed 
software, I think.


Also, I've just looked and it seems only a little over 1000 ports have 
CPE strings. Adding something to portlint that warned ports developers 
to add any needed CPE info would be helpful. I think that type of 
warning has helped us improve LICENSE entries.


One more thought on this topic: a cvececker isn't enough. Looking at 
security updates of piwik, gitlab, phpmailer and many more: most of the 
security issues fixed never got an CVE entry. But of course any of the 
issues could be exploited in one or another way.


But i think cvechecker is a step in the right direction. pkg audit is 
incredible helpful even with its current restrictions!


Greetings,
Torsten
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Stefan Esser]

Am 10.10.17 um 00:03 schrieb Steve Wills:
> Hi,
> 
> On 10/09/2017 17:55, Jan Beich wrote:
>> Why not
>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
>> packages?
>> Doing so would also provide a workaround for VuXML entries cancelled
>> to reduce bloat.
> 
> I agree, pkg-audit needs to be taught to do that. Along those lines, we
> could create a port for cvechecker:
> 
> https://github.com/sjvermeu/cvechecker

I have a mostly working port of cvechecker, which I plan to commit
soonish.

Regards, STefan
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Steve Wills]

Hi,

On 10/09/2017 17:55, Jan Beich wrote:

Steve Wills  writes:


Hi,

On 10/09/2017 16:34, Jan Beich wrote:

Matthew Seaman  writes:


On 09/10/2017 16:57, Roger Marquis wrote:


Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?


I've been hacking at a prototype for scanning what I can find:

https://github.com/swills/nvd_to_new_vuxml


Wouldn't that encourage copypasta, exacerbating filesize issue? 


The VuXML data does need to be split up and all tools that process it 
need to be taught to deal with multiple files.



Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages?
Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.


I agree, pkg-audit needs to be taught to do that. Along those lines, we 
could create a port for cvechecker:


https://github.com/sjvermeu/cvechecker

But both solutions only handle installed packages.

We would still need something to alert us to CVEs in non-installed 
software, I think.


Also, I've just looked and it seems only a little over 1000 ports have 
CPE strings. Adding something to portlint that warned ports developers 
to add any needed CPE info would be helpful. I think that type of 
warning has helped us improve LICENSE entries.


Steve
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Jan Beich]

Steve Wills  writes:

> Hi,
>
> On 10/09/2017 16:34, Jan Beich wrote:
>> Matthew Seaman  writes:
>>
>>> On 09/10/2017 16:57, Roger Marquis wrote:
>>>
 Can anyone say what mechanisms the ports-security team might have in
 place to monitor CVEs and port software versions? 
>
> I've been hacking at a prototype for scanning what I can find:
>
> https://github.com/swills/nvd_to_new_vuxml

Wouldn't that encourage copypasta, exacerbating filesize issue? Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages?
Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Steve Wills]

Hi,

On 10/09/2017 16:34, Jan Beich wrote:

Matthew Seaman  writes:


On 09/10/2017 16:57, Roger Marquis wrote:


Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions? 


I've been hacking at a prototype for scanning what I can find:

https://github.com/swills/nvd_to_new_vuxml

It's more of a proof of concept than anything. The entry for this issue 
is still incomplete though, and the web page for it lists it as "waiting 
for analysis":


https://nvd.nist.gov/vuln/detail/CVE-2017-12617


The reason I ask is CVE-2017-12617 was announced almost a week ago yet
there's no mention of it in the vulnerability database  The tomcat8


It looks like it's there to me:

https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185=451415

https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html

And added days ago.


port's Makefile also still points to the older, vulnerable version.


True, the maintainer needs to update it. I've copied him on this message.


Tomcat is one of those popular, internet-facing applications that sites
need to check and/or update quickly when CVEs are released and most
admins probably don't expect "pkg audit" to throw false negatives.


Ports-secteam (and secteam, for that matter) will update VuXML when they
know about vulnerabilities that affect FreeBSD ports, however the usual
mechanism is that the port maintainer either updates VuXML themselves
directly or tells the appropriate people that there are vulnerabilities
that need to be recorded.


Correct, but it doesn't have to be the port maintainer, anyone can 
submit a bug report with a patch to ports/security/vuxml/vuln.xml



What happened to querying CVE database using CPE strings? ENOTIME is a
common disease in volunteer projects, ports-secteam@ is no exception.
Finding missing entries is trivial if one looks at Debian tracker.
Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
are fixed in the port.

https://wiki.freebsd.org/Ports/CPE


Indeed, I've wanted to try matching up ports/packages to the CVE entries 
by using CPE data. I will try to look at that again, but as always 
patches welcome.


I'll try to add the missing tiff entries and any others anyone cares to 
point out.


Steve
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Jan Beich]

Matthew Seaman  writes:

> On 09/10/2017 16:57, Roger Marquis wrote:
>
>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>> there's no mention of it in the vulnerability database  The tomcat8
>> port's Makefile also still points to the older, vulnerable version.
>> Tomcat is one of those popular, internet-facing applications that sites
>> need to check and/or update quickly when CVEs are released and most
>> admins probably don't expect "pkg audit" to throw false negatives.
>
> Ports-secteam (and secteam, for that matter) will update VuXML when they
> know about vulnerabilities that affect FreeBSD ports, however the usual
> mechanism is that the port maintainer either updates VuXML themselves
> directly or tells the appropriate people that there are vulnerabilities
> that need to be recorded.

What happened to querying CVE database using CPE strings? ENOTIME is a
common disease in volunteer projects, ports-secteam@ is no exception.
Finding missing entries is trivial if one looks at Debian tracker.
Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
are fixed in the port.

https://wiki.freebsd.org/Ports/CPE
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[Matthew Seaman]

On 09/10/2017 16:57, Roger Marquis wrote:
> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
> there's no mention of it in the vulnerability database  The tomcat8
> port's Makefile also still points to the older, vulnerable version.
> Tomcat is one of those popular, internet-facing applications that sites
> need to check and/or update quickly when CVEs are released and most
> admins probably don't expect "pkg audit" to throw false negatives.

Ports-secteam (and secteam, for that matter) will update VuXML when they
know about vulnerabilities that affect FreeBSD ports, however the usual
mechanism is that the port maintainer either updates VuXML themselves
directly or tells the appropriate people that there are vulnerabilities
that need to be recorded.

Ports-secteam do not try and track CVEs for everything in the ports:
that's probably unfeasible given that it's a volunteer effort.

The latest tomcat advisories being missing from VuXML is a symptom of
the perennial problem: nobody stepping up to do the work.

pkg-audit(8) has been pretty good at reporting problems, but it always
has been a best-efforts thing, and there's no guarrantee it will be
comprehensive.

Cheers,

Matthew
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: New pkg audit FNs

[User]

Hello,

They go by the public cve announcements. The audit db might be slow on
updatingBut really you should be following CVEs for any software you use
yourself that is mission critical

On Oct 9, 2017 11:01 AM, "Roger Marquis"  wrote:

> Can anyone say what mechanisms the ports-security team might have in
> place to monitor CVEs and port software versions?
>
> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
> there's no mention of it in the vulnerability database  The tomcat8
> port's Makefile also still points to the older, vulnerable version.
> Tomcat is one of those popular, internet-facing applications that sites
> need to check and/or update quickly when CVEs are released and most
> admins probably don't expect "pkg audit" to throw false negatives.
>
> Tomcat is just one of many apps, however, so concern regarding the
> validity of FreeBSD's vulnerability database is larger than this CVE.
> We are concerned about update processes and procedures, especially
> considering how this topic has come up in the past (for different apps).
>
> Roger Marquis
> ___
> freebsd-secur...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org
> "
>
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

New pkg audit FNs

[Roger Marquis]

Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?

The reason I ask is CVE-2017-12617 was announced almost a week ago yet
there's no mention of it in the vulnerability database  The tomcat8
port's Makefile also still points to the older, vulnerable version.
Tomcat is one of those popular, internet-facing applications that sites
need to check and/or update quickly when CVEs are released and most
admins probably don't expect "pkg audit" to throw false negatives.

Tomcat is just one of many apps, however, so concern regarding the
validity of FreeBSD's vulnerability database is larger than this CVE.
We are concerned about update processes and procedures, especially
considering how this topic has come up in the past (for different apps).

Roger Marquis
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"