From owner-freebsd-security@freebsd.org Tue Aug 16 16:41:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A643BBCE1F; Tue, 16 Aug 2016 16:41:21 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9F51390; Tue, 16 Aug 2016 16:41:21 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 16 Aug 2016 09:41:13 -0700 (PDT) From: Roger Marquis To: freebsd-ports@freebsd.org cc: freebsd-security@freebsd.org Subject: pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable) In-Reply-To: <84206cd3-10fb-2125-c7e9-921d74432c92@cloudzeeland.nl> References: <3f8f41ff-3262-1021-2e28-2aaae89849b6@cloudzeeland.nl> <2915322d-0b1a-d36e-0725-c10bd0d32b7c@cloudzeeland.nl> <280f6f77-ad33-6ebb-d54a-a97129f793b3@FreeBSD.org> <84206cd3-10fb-2125-c7e9-921d74432c92@cloudzeeland.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 16:41:21 -0000 On 16 Aug 2016, JosC wrote: >> In the absence of running 'pkg audit -F', only >> the"LOCALBASE/periodic/security/410.pkg-audit script updates the vuxml >> file and audit results. Until that happens, or pkg audit -F is run, pkg >> will still see an older version. > > Thinking with you I now ask myself: > - Would it be a good idea to make this vuxml file update part of the > Makefile? Then these occurrences won't happen anymore There's also an issue with older versions (perl 5.1*) no longer showing up in the vuln.xml at all. I've seen perl, php and other critical network components still in use because the site depended on 'pkg audit' but did not know that expired OR deprecated ports are not audited. Apparently this is intentional and by policy. IMO it is a serious flaw in pkg audit's design. A better policy would include expired AND deprecated ports in the output of 'pkg audit' for at least a year after they are removed from the ports and/or pkg trees. If a port had no known vulnerability when removed it should at least indicate 'no longer audited' in place of 'vulnerable'. This is, IMO, one of 3 remaining weaknesses in the otherwise excellent freebsd audit framework. The other two issues have to do with base not being packaged (so not really being 'audit'able) and the 'general rule' announced on Aug 10 that 'the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch'. This is particularly problematic as there are usually mitigations that do not require patches. Roger Marquis