New pkg audit / vuln.xml failures (php55, unzoo)

Remko Lodder remko at
Sat May 23 18:28:52 UTC 2015

Please send these things to ports-secteam at so that they
can have a look at these please.


> On 23 May 2015, at 17:30, Roger Marquis <marquis at> wrote:
> FYI regarding these new and significant failures of FreeBSD security
> policy and procedures.
> PHP55 vulnerabilities announced over a week ago
> <>) have still
> not been ported to lang/php55.  You can, however, edit the Makefile,
> increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum
> deinstall reinstall clean' to secure a server without waiting for the
> port to be updated.  Older versions of PHP may also have unpatched
> vulnerabilities that are not noted in the vuln.xml database.
> New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg
> audit -F' or vuln.xml.  Run 'pkg remove unzoo zoo' at your earliest
> convenience if you have these installed.
>  HEADS-UP: anyone maintaining public-facing FreeBSD servers who is
>  depending on 'pkg audit' to report whether a server is secure it should
>  be noted that this method is no longer reliable.
> If you find a vulnerability such as a new CVE or mailing list
> announcement please send it to the port maintainer and
> <ports-secteam at> as quickly as possible.  They are whoefully
> understaffed and need our help.  Though indicates that
> security alerts should be sent to <secteam at> this is
> incorrect.  If the vulnerability is in a port or package send an alert to
> ports-secteam@ and NOT secteam@ as the secteam will generally not reply
> to your email or forward the alerts to ports-secteam.
> Roger
>> Does anyone know what's going on with vuln.xml updates?  Over the last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in some cases only showed up in
>> vuln.xml after several days and in other cases are still not listed
>> (despite email to the security team).
> _______________________________________________
> freebsd-security at mailing list
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at"

/"\   Best regards,                      | remko at
\ /   Remko Lodder                       | remko at EFnet
 X          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the freebsd-security mailing list