# portaudit late?



## frijsdijk (Jul 16, 2013)

Hi,

More often I notice that FreeBSD's portaudit is always late compared to other security notices, now for instance https://bugs.php.net/bug.php?id=65236, resulting in http://www.ubuntu.com/usn/usn-1905-1/, http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4113.html and others. 

Obvously PHP 5.3.26 and PHP 5.4.16 are vulnerable, but portaudit still doesn't think it is.

How could this be improved? Is there something that I (or the community) could do about this?


----------



## SirDice (Jul 16, 2013)

They won't be added if nobody reports them.

http://www.vuxml.org/freebsd/


----------



## frijsdijk (Jul 16, 2013)

Well, that's an eye opener. Does it really work that way?


----------



## SirDice (Jul 16, 2013)

I'm sure the security-team will add things by themselves. But it never hurts to send them a notice.


----------



## frijsdijk (Jul 16, 2013)

Ok, have already done that. 

It was reported BTW. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 (20130612)
https://bugs.php.net/bug.php?id=65236 (20130712)


----------



## kpa (Jul 16, 2013)

frijsdijk said:
			
		

> Well, that's an eye opener. Does it really work that way?



Can you imagine an automated system for recording software vulnerabilities that anyone would ever trust? Security is one matter where it is mandatory that the reports are reviewed by humans very carefully before publishing them.


----------



## SirDice (Jul 17, 2013)

They should now be picked up by portaudit:
http://www.vuxml.org/freebsd/5def3175-f3f9-4476-ba40-b46627cc638c.html
http://www.vuxml.org/freebsd/31b145f2-d9d3-49a9-8023-11cf742205dc.html


----------

