Re: portaudit

• Previous message: Tobias Roth: "Re: portaudit"
• In reply to: Tobias Roth: "Re: portaudit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Mar 2004 07:59:57 -0600
To: Tobias Roth <roth@iam.unibe.ch>

On Thu, Mar 18, 2004 at 09:28:10AM +0100, Tobias Roth wrote:
> On Wed, Mar 17, 2004 at 02:00:51AM -0500, Peter C. Lai wrote:
>
> <snip>
> > Seeing as
> > the security officer apparently (without announcement) no longer issues
> > security notices (SNs) for ports
> <snip>
>
> is this true? no more advisories concerning ports?

Advisories concerning ports have not been published for about two years.
Most ports issues were very minor, and we wished to reserve advisories
for issues affecting all FreeBSD systems--- i.e., software in the base
system.

The Security Notices were experimentally published to help keep users
informed about non-FreeBSD vulnerabilities in packages in the Ports
Collection. However, I am sorry to say, that the experiment failed:
there were few contributions to security notices, and I was not able to
effectively produce them on my own.

Thus, I recently created the Vulnerabilities and eXposures Markup
Language (VuXML), a format for documenting the vulnerabilities in a
software collection such as the FreeBSD Ports Collection. Any ports
committer may create entries; any FreeBSD contributor may send-pr
entries. Over time, it is expected that ports maintainers will be
primarily responsible for tracking security issues in their ports,
although the security officer will always act as `Editor' and often
add entries also. In this fashion, we should be able to keep users
informed of issues in all of our 10,000+ ports.

There is still some tweaking going on, but VuXML (and any tools using
it, like `portaudit') will be featured in an `official' announcement
within a few weeks.

Cheers,

-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Tobias Roth: "Re: portaudit"
• In reply to: Tobias Roth: "Re: portaudit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Whats vunerable? ... >>> Read the advisories. ... >> current version of the ports is openssh 2.2.0 which has some vulnerability. ... as is noted in the relevant FreeBSD advisory on OpenSSH :-) ... (FreeBSD-Security) Re: portaudit ... > security notices (SNs) for ports ... no more advisories concerning ports? ... (FreeBSD-Security) Re: Norton Personal Firewall 2003 ... > First thing I would do is put the GRC test site into the Exclusions List. ... blocking www.grc.com will not make my ports stealthed on other sites or from ... > display available in NPF 2003. ... There are not log entries with the adress of grc.com or their ip (at ... (comp.security.firewalls) Re: wrong number of serial port detected ... > to get the correct number of ports, ask the bios or the pci bus or ... ports, and PCI or other bus enumeration should tell us about all the ... systems because of BIOS bugs, so I'm not sure it's worth the risk. ... Having all the extra /dev/ttyS entries is a little different problem. ... (Linux-Kernel) Re: Using portconf and /usr/local/etc/ports.conf ... entries to turn them off. ... that gets included in the build when in the ports tree ... defaults separate from command line flags, ... (freebsd-questions)