portaudit late?

[frijsdijk]

Hi,

More often I notice that FreeBSD's portaudit is always late compared to other security notices, now for instance https://bugs.php.net/bug.php?id=65236, resulting in http://www.ubuntu.com/usn/usn-1905-1/, http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4113.html and others.

Obvously PHP 5.3.26 and PHP 5.4.16 are vulnerable, but portaudit still doesn't think it is.

How could this be improved? Is there something that I (or the community) could do about this?

 

[SirDice]

They won't be added if nobody reports them.

http://www.vuxml.org/freebsd/

 

[frijsdijk]

Well, that's an eye opener. Does it really work that way?

 

[SirDice]

I'm sure the security-team will add things by themselves. But it never hurts to send them a notice.

 

[frijsdijk]

Ok, have already done that.

It was reported BTW.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 (20130612)
https://bugs.php.net/bug.php?id=65236 (20130712)

 

[kpa]

Well, that's an eye opener. Does it really work that way?

Can you imagine an automated system for recording software vulnerabilities that anyone would ever trust? Security is one matter where it is mandatory that the reports are reviewed by humans very carefully before publishing them.

 

[SirDice]

They should now be picked up by portaudit:
http://www.vuxml.org/freebsd/5def3175-f3f9-4476-ba40-b46627cc638c.html
http://www.vuxml.org/freebsd/31b145f2-d9d3-49a9-8023-11cf742205dc.html