Where to report out-of-date ports with security advisories

charles_belov · Jul 30, 2010

If the port that is in the FreeBSD port collection is out-of-date and has a security advisory on it as being insecure, where do I report this?

DutchDaemon · Jul 30, 2010

The maintainer and/or the freebsd-ports list and/or a PR (http://www.freebsd.org/send-pr.html).

charles_belov · Aug 2, 2010

Thank you. As it involves a security issue, I e-mailed both the port maintainer and FreeBSD security (as noted in the instructions for filing a PR).

SirDice · Aug 2, 2010

As a matter of interest, which port is it?

charles_belov · Aug 3, 2010

Actually, they say not to post security issues on a public forum until it is resolved. I would extend this to not telling whoever asks.

I'll post back when I've verified the issue has been fixed.

SirDice · Aug 3, 2010

If the port's source is already patched but it's just the port skeleton that needs updating then it shouldn't be a problem. Most of us are probably quite capable to change the port's Makefile. I know I am

It would also help to increase awareness of the bug, not only for the bad guys but for us good guys too. Everyone should be able to review the impact of said bug :e

lily · Aug 3, 2010

BTW, if the vendor is lazy enough to not fix the vulnerability within a few weeks I think you can just go ahead: disclose details and mark the port FORBIDDEN.

charles_belov · Aug 4, 2010

No, the vendor fixed and disclosed the vulnerability. It was the port that had not yet been updated. It is updated now.

Piwik 0.8

charles_belov · Aug 4, 2010

Piwik.

And the port is fixed.

Where to report out-of-date ports with security advisories

charles_belov

DutchDaemon

Administrator

charles_belov

SirDice

Administrator

charles_belov

SirDice

Administrator

lily

Guest

charles_belov

charles_belov