Hi,
On 10/09/2017 16:34, Jan Beich wrote:
Matthew Seaman <matt...@freebsd.org> writes:
On 09/10/2017 16:57, Roger Marquis wrote:
Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?
I've been hacking at a prototype for scanning what I can find:
https://github.com/swills/nvd_to_new_vuxml
It's more of a proof of concept than anything. The entry for this issue
is still incomplete though, and the web page for it lists it as "waiting
for analysis":
https://nvd.nist.gov/vuln/detail/CVE-2017-12617
The reason I ask is CVE-2017-12617 was announced almost a week ago yet
there's no mention of it in the vulnerability database The tomcat8
It looks like it's there to me:
https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=451185&r2=451415
https://www.vuxml.org/freebsd/c0dae634-4820-4505-850d-b1c975d0f67d.html
And added days ago.
port's Makefile also still points to the older, vulnerable version.
True, the maintainer needs to update it. I've copied him on this message.
Tomcat is one of those popular, internet-facing applications that sites
need to check and/or update quickly when CVEs are released and most
admins probably don't expect "pkg audit" to throw false negatives.
Ports-secteam (and secteam, for that matter) will update VuXML when they
know about vulnerabilities that affect FreeBSD ports, however the usual
mechanism is that the port maintainer either updates VuXML themselves
directly or tells the appropriate people that there are vulnerabilities
that need to be recorded.
Correct, but it doesn't have to be the port maintainer, anyone can
submit a bug report with a patch to ports/security/vuxml/vuln.xml
What happened to querying CVE database using CPE strings? ENOTIME is a
common disease in volunteer projects, ports-secteam@ is no exception.
Finding missing entries is trivial if one looks at Debian tracker.
Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
are fixed in the port.
https://wiki.freebsd.org/Ports/CPE
Indeed, I've wanted to try matching up ports/packages to the CVE entries
by using CPE data. I will try to look at that again, but as always
patches welcome.
I'll try to add the missing tiff entries and any others anyone cares to
point out.
Steve
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
