Date: Tue, 23 Aug 2016 11:37:18 -0500 From: Tim Zingelman <zingelman@fnal.gov> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Cc: Roger Marquis <marquis@roble.com>, "schmidt@ze.tum.de" <schmidt@ze.tum.de> Subject: Re: Ports EOL vuxml entry Message-ID: <Pine.SOL.4.64.1608231109430.25496@nova.fnal.gov> In-Reply-To: <8e50a727e71a444f9b2ccaa4844221f9@MWHPR09MB1359.namprd09.prod.outlook.com> References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de> <8e50a727e71a444f9b2ccaa4844221f9@MWHPR09MB1359.namprd09.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
---559023410-1804928587-1471969389=:25496 Content-Type: text/plain; charset="US-ASCII"; format=flowed Content-ID: <Pine.SOL.4.64.1608231132151.26312@nova.fnal.gov> On Tue, 23 Aug 2016, Roger Marquis wrote: >> There should be a way to state that the sysadmin is aware of the >> outdated port and prevent pkg audit from reporting it > > Agreed though I expect such a report would see little use. I maintain a local patch to preserve this functionality which was in portaudit but not in pkg audit. Perhaps not bullet proof, but simple enough to be sure it does what I want it to do. Just drop the attached file into /usr/ports/ports-mgmt/pkg/files/ and put the VuXML ID's you want ignored into /usr/local/etc/portaudit.conf. (easy enough to edit the patch if you prefer pkg.conf or other) This allows the administrator to evaluate each vulnerability entry, decide if it affects a system or not, and document that decision. There are issues with this solution when VuXML entries are edited after the fact to add new packages to the list, but it is better than nothing. (I'd argue that any such edits should require a new VuXML ID to be used.) Hope this helps, - Tim ---559023410-1804928587-1471969389=:25496 Content-Type: text/plain; charset="US-ASCII"; name="patch-pkg_audit.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.SOL.4.64.1608231123090.25496@nova.fnal.gov> Content-Description: Content-Disposition: attachment; filename="patch-pkg_audit.c" LS0tIGxpYnBrZy9wa2dfYXVkaXQuYy5vcmlnCTIwMTQtMTAtMjkgMDM6NDg6 MTIuMDAwMDAwMDAwIC0wNTAwDQorKysgbGlicGtnL3BrZ19hdWRpdC5jCTIw MTQtMTItMzAgMTU6Mzc6MDUuMDAwMDAwMDAwIC0wNjAwDQpAQCAtMTQwLDYg KzE0MCw4IEBADQogCWJvb2wgbG9hZGVkOw0KIAl2b2lkICptYXA7DQogCXNp emVfdCBsZW47DQorCXZvaWQgKmlnbm9yZTsNCisJc2l6ZV90IGlnbm9yZV9s ZW47DQogfTsNCiANCiANCkBAIC04MDIsNiArODA0LDEwIEBADQogCQkJaWYg KGZubWF0Y2goZS0+cGtnbmFtZSwgcGtnLT5uYW1lLCAwKSAhPSAwKQ0KIAkJ CQljb250aW51ZTsNCiANCisJCQkvKiBpZ25vcmUgYnkgaWQgaW4gL3Vzci9s b2NhbC9ldGMvcG9ydGF1ZGl0LmNvbmYgKi8NCisJCQlpZiAoYXVkaXQtPmln bm9yZV9sZW4gJiYgc3RybnN0cihhdWRpdC0+aWdub3JlLGUtPmlkLGF1ZGl0 LT5pZ25vcmVfbGVuKSkNCisJCQkJY29udGludWU7DQorDQogCQkJaWYgKHBr Zy0+dmVyc2lvbiA9PSBOVUxMKSB7DQogCQkJCS8qDQogCQkJCSAqIEFzc3Vt ZSB0aGF0IGFsbCB2ZXJzaW9ucyBzaG91bGQgYmUgY2hlY2tlZA0KQEAgLTg3 Miw2ICs4NzgsMjEgQEANCiAJYXVkaXQtPmxlbiA9IHN0LnN0X3NpemU7DQog CWF1ZGl0LT5sb2FkZWQgPSB0cnVlOw0KIA0KKwlhdWRpdC0+aWdub3JlID0g MDsNCisJYXVkaXQtPmlnbm9yZV9sZW4gPSAwOw0KKwlpZiAoc3RhdCgiL3Vz ci9sb2NhbC9ldGMvcG9ydGF1ZGl0LmNvbmYiLCAmc3QpID09IC0xKQ0KKwkJ cmV0dXJuIChFUEtHX09LKTsNCisJaWYgKChmZCA9IG9wZW4oIi91c3IvbG9j YWwvZXRjL3BvcnRhdWRpdC5jb25mIiwgT19SRE9OTFkpKSA9PSAtMSkNCisJ CXJldHVybiAoRVBLR19PSyk7DQorCWlmICgobWVtID0gbW1hcChOVUxMLCBz dC5zdF9zaXplLCBQUk9UX1JFQUQsIE1BUF9QUklWQVRFLCBmZCwgMCkpID09 IE1BUF9GQUlMRUQpIHsNCisJCWNsb3NlKGZkKTsNCisJCXJldHVybiAoRVBL R19PSyk7DQorCX0NCisJY2xvc2UoZmQpOw0KKw0KKwlhdWRpdC0+aWdub3Jl ID0gbWVtOw0KKwlhdWRpdC0+aWdub3JlX2xlbiA9IHN0LnN0X3NpemU7DQor DQogCXJldHVybiAoRVBLR19PSyk7DQogfQ0KIA0K ---559023410-1804928587-1471969389=:25496--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.64.1608231109430.25496>