Issues affecting the FreeBSD Ports Collection are covered separately in the FreeBSD VuXML document. This is the advice you get here. Now click on the link and follow all of the very few links there to just get an idea on what VuXML is about.
This output above I get since 2017-04-20 when the entry was created in the database 30 days ago.
Looking at https://vuxml.freebsd.org/freebsd/index.html we can dig into
https://vuxml.freebsd.org/freebsd/2a96e498-3234-4950-a9ad-419bc84a839d.html
where you can look up a list of NVD reports. Each report has a link source at the lower right corner of the box which you might not notice. But click on it!
It takes you there https://nvd.nist.gov/vuln/detail/CVE-2017-5225
Before you get attracted by the impact of that vulnerability notice the "Quick Info":
Notice there is a time hole of 92 days between the NIST entry and the vuxml.freebsd entry.
Now add the 30 days a/o today to the 92 days and try to express it in months.
And please note, this is only the first CVE of 12 CVEs.
Interesting is the PR from Sevan Janiyan entered 2017-01-31 03:33:41 UTC which got a reply Jan Beich (away from May 25 to June 11) freebsd_committer 2017-04-21 08:06:40 UTC.
Now anticipating that few/some/most want to say "But it's all for free. We are volunteers". But could it be worse?
Now what would be the pragmatic policy for a port where there is no fix found in the ports? Suppose there is no alternative that means deleting the port and all those depending on it. Anyone votes against? Too much ports depending on it?
pkg audit
makes use of it.
Code:
# pkg audit
tiff-4.0.7_1 is vulnerable:
tiff -- multiple vulnerabilities
CVE: CVE-2017-7602
CVE: CVE-2017-7601
CVE: CVE-2017-7600
CVE: CVE-2017-7599
CVE: CVE-2017-7598
CVE: CVE-2017-7597
CVE: CVE-2017-7596
CVE: CVE-2017-7595
CVE: CVE-2017-7594
CVE: CVE-2017-7593
CVE: CVE-2017-7592
CVE: CVE-2017-5225
WWW: https://vuxml.FreeBSD.org/freebsd/2a96e498-3234-4950-a9ad-419bc84a839d.html
This output above I get since 2017-04-20 when the entry was created in the database 30 days ago.
Looking at https://vuxml.freebsd.org/freebsd/index.html we can dig into
https://vuxml.freebsd.org/freebsd/2a96e498-3234-4950-a9ad-419bc84a839d.html
where you can look up a list of NVD reports. Each report has a link source at the lower right corner of the box which you might not notice. But click on it!
It takes you there https://nvd.nist.gov/vuln/detail/CVE-2017-5225
Before you get attracted by the impact of that vulnerability notice the "Quick Info":
Quick Info
CVE Dictionary Entry:
CVE-2017-5225
Original release date:
01/12/2017
Last revised:
01/27/2017
Source:
US-CERT/NIST
Notice there is a time hole of 92 days between the NIST entry and the vuxml.freebsd entry.
Now add the 30 days a/o today to the 92 days and try to express it in months.
And please note, this is only the first CVE of 12 CVEs.
Interesting is the PR from Sevan Janiyan entered 2017-01-31 03:33:41 UTC which got a reply Jan Beich (away from May 25 to June 11) freebsd_committer 2017-04-21 08:06:40 UTC.
Now anticipating that few/some/most want to say "But it's all for free. We are volunteers". But could it be worse?
Now what would be the pragmatic policy for a port where there is no fix found in the ports? Suppose there is no alternative that means deleting the port and all those depending on it. Anyone votes against? Too much ports depending on it?