pkg audit / vuln.xml / no more updates for base system and kernel ??

No, this is not normal from my point of view and I am really pi**ed off of it.
I tried many times to discuss it on freebsd-security@ mailing list - why SAs are not added automatically to the vuln.xml - without any reply.
Entries were mainly added by Mark Felder who invented this https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ but he is not Security Officer.
Then I created security/base-audit to ease the monitoring of vulnerabilities for users (it is simple periodic script running daily). Now it is useless because there are no SA entries.
It seems like nobody from FreeBSD officials care about reporting vulnerabilities to users. I really don't know why. Are we really in 2019 without tool and entries to automatically check and report vulnerabilities in the base system if we have it for ports / packages?

Even if I created patch for the latest missing SA entries and submitted PR then nobody can commit it for a month https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240322
It can be so simple to just commit it that I can't get it why it was not done yet.
 
simplerezo said:
Hi

It has happened again: https://www.vuxml.org/freebsd/pkg-FreeBSD-kernel.html
No more entries since 08/2022 (FreeBSD 13.0 / 12.3p6)...

:(
Click to expand...
Your URL is correct, there was no kernel Security Advisory from 2022-08. All advisories from that time to now were related to userland applications in base. They should be on this URL https://www.vuxml.org/freebsd/pkg-FreeBSD.html
But they are not. I am fighting this problem for years. I really do not understand how is it possible that Security team do not publish SAs in FreeBSD own project - VuXML.
Base audit is included in pkg for a long time so every user of FreeBSD can benefit from it but not without entries in VuXML.
 
I really do not understand how is it possible that Security team do not publish SAs in FreeBSD own project - VuXML.
Click to expand...
It's quite unbelievable I agree!
How can we imply Security Team in this thread and/or PR ?
I will try with tagging bapt@ and emaste@ (hoping that users are the members of Security Team, because usernames match emails @FreeBSD.org, sorry otherwise about that ;)).
 
You must log in or register to reply here.
Back
Top