The FreeBSD Core & Security teams have made a recent announcement concerning freebsd-update and portsnap vulnerabilities. See the full the message from the mailing list which should address any concerns among the community.
Dear FreeBSD Community: The FreeBSD Core team and FreeBSD Security team would like to update the community on the reports of security vulnerabilities in freebsd-update, portsnap, libarchive, and bspatch. We understand the severity of this issue, and are actively working to resolve the issues and improve the security of FreeBSD. A recent post to the freebsd-security@ list raised a number of questions and we would like to address those. 1. Since there are known vulnerabilities in freebsd-update and portsnap, why has there been no notification to the community from secteam@? As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch. We are reviewing this policy for cases where a proof-of-concept or working exploit is already public. 2. Why was there no mention of the fact that running freebsd-update to install the fix for the bspatch advisory [SA-16:25] may actually expose users to the vulnerability? To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches. The Security Advisory did not contain information on the theoretical implications of the vulnerability. A more explicit paragraph in the 'Impact' statement may have been warranted. As always, instructions on how to compile the patched bspatch manually rather than using freebsd-update were provided as part of the advisory. 3. The patch included in SA-16:25 is incomplete, and may still permit heap corruption. The patch included in the document dump is more complete. Why only a partial fix?
Original announcement: https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html