FYI regarding these new and significant failures of FreeBSD security policy and procedures.
PHP55 vulnerabilities announced over a week ago <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and <ports-sect...@freebsd.org> as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to <sect...@freebsd.org> this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger
Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team).
_______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
