My review

View all my reviews.

Example process flow...

1. Identify a valid vulnerability report from some source ... (freshports is your friend here as it will help identify the exact FreeBSD port name and whether the vulnerability has already been reported.

2. Complete the form

3. Save the resulting XML, for example /tmp/portname.vuxml

4. send-pr -a /tmp/portname.vuxml

5. Complete the problem report and send.

I'm also considering an option to have the submission sent to me (or some sort of queue) instead of just producing the raw output, that way it can find it's way to the vuxml input stream with even less effort.

openvpn --genkey --secret /path/to/vpn-cn-key.txt

Then you can specify secret /path/to/vpn-key.txt in the OpenVPN configuration file.

The vulnerabilities identified by portaudit via vuxml is built by volunteer submission, so users submit patches to /usr/ports/security/vuxml/vuln.xml to describe newly-discovered vulnerabilities. So I consider this a negative in a way since vulnerabilities are frequently falling through the cracks. Can port-maintainers be held responsible for updating vuxml when their ports are listed? I think this would be a reasonable compromise.

Otherwise we need a delegation of responsibilities to ensure vulns DON'T fall through the cracks. Perhaps a team of volunteers who focus on CVEs, non-CVEs (e.g. SecurityFocus or FrSIRT but not CVE-listed) and strictly vendor identified vulns would be able to provide better coverage.

There's also the learning curve of generating vuxml entries, which I describe here. The process is a bit cumbersome and could use some help, so I've begun working on a "wizard" HTML form for vuxml submission (Note:non-functioning as of yet) which could make this a little easier esp. for newbies.

I'd also love to see portaudit ported to Linux distros (both RPM and DEB) as it should be fairly easy to do.

pfSense has openvpn capability. You can provide SSL CA and server certificate + key.
It also wants the Diffie Helman (DH) parameters. Generating these is described by the openvpn documentation as running ./build-dh script.

Not really an option within pfSense. So you need the "other" command that works on pfSense.

Here's what I did.
1. SSH to pfsense system (ssh admin@pfsense)
2. Choose 8) Shell from menu
3. Run # openssl dhparam -out dh1024.pem 1024
4. cat dh1024.pem
5. Paste contents into pfsense web form.

Here is what the parameters should look like.
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJe656S7xrtxwiQbL/hQ6POKhywl8avqLw2ZxMux5YsQnEQJIHr0sCm1
...RANDOM GIBBERISH...
k963XupLUOCM893va70qdpCjEZFapXZsm7nlFfsDMafOWFRyyY4bAgEC
-----END DH PARAMETERS-----

I write about my personal experiences with WPAD here.

In other words, retired or not bind 8 is going to be around for a while yet.

Well, today in my usual "security run output" e-mail that my FreeBSD servers send me was this:

Checking for packages with security vulnerabilities:Affected package: rsync-2.6.9Type of problem: rsync -- off by one stack overflow.Reference: http://www.FreeBSD.org/ports/portaudit/af8e3a0c-5009-11dc-8a43-003048705d5a.html

Great - I hopped on the box and, knowing also that the myupdate script had brought my ports tree up-to-date the night before... I just ran portmaster rsync and was asked do I want to upgrade rsync-2.6.9.

So I said yes and portmaster began the upgrade to 2.6.9_1. Only momentarily I was interrupted with the fatal error echoing the message above except for 2.6.9_1.

What was happening? I will tell you.

portaudit periodically downloads a local copy of the portaudit database. The copy on my local filesystem was from the day before, which must have not had the updated known-good version specified. After running portaudit -Fa I was able to update the rsync port.

The -F flag forces portaudit to fetch a fresh copy of the vulnerability (XML) database.

This would be something to know for handling quick fixes to freshly released & patched vulnerabilities.

Thanks to everyone who helped, you know who you are!

For the rest of you who are in a position to manage certificates for your organization/company/school, xca is an excellent GUI to manage the CA generation and functions of CSR import, certificate signing and CRL generation. We've used it for 2 years at the Port and has worked out really well. Please try it out and show your support.