From owner-freebsd-pkg@freebsd.org Sun Aug 6 21:00:08 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA49BDC9113 for ; Sun, 6 Aug 2017 21:00:08 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id A7D116D426 for ; Sun, 6 Aug 2017 21:00:08 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id A46D1DC9112; Sun, 6 Aug 2017 21:00:08 +0000 (UTC) Delivered-To: pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4209DC9111 for ; Sun, 6 Aug 2017 21:00:08 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 820026D423 for ; Sun, 6 Aug 2017 21:00:08 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v76L01Ws085505 for ; Sun, 6 Aug 2017 21:00:08 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201708062100.v76L01Ws085505@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: pkg@FreeBSD.org Subject: Problem reports for pkg@FreeBSD.org that need special attention Date: Sun, 06 Aug 2017 21:00:08 +0000 X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Aug 2017 21:00:08 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- In Progress | 212022 | ports-mgmt/pkg: Segfaults when installing sensu p Open | 211141 | ports-mgmt/pkg: pkg+pw: Doesn't run pwd_mkdb, may Open | 220049 | ports-mgmt/pkg installs unneeded packages New | 193995 | [PATCH] ports-mgmt/pkg: floating point exception 4 problems total for which you should take action. From owner-freebsd-pkg@freebsd.org Fri Aug 11 02:41:35 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9395FCFFEDE; Fri, 11 Aug 2017 02:41:35 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 88D1D80447; Fri, 11 Aug 2017 02:41:35 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 6CCF03D451; Thu, 10 Aug 2017 19:41:29 -0700 (PDT) Date: Thu, 10 Aug 2017 19:41:29 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org cc: freebsd-pkg@freebsd.org Subject: pkg audit false negatives Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 02:41:35 -0000 In the past pkg-audit and even pkg-version have not been reliable tools where installed ports or packages have been subsequently discontinued or renamed. Today, however, I notice that dovecot2 is still showing up in the output of pkg-version despite the port having been renamed to dovecot (without the numeric suffix) several days ago. Does this mean there has been a policy change? If so does it cover pkg-audit as well? Roger From owner-freebsd-pkg@freebsd.org Fri Aug 11 15:14:33 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D6D2DD5288; Fri, 11 Aug 2017 15:14:33 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (gandalf.elvandar.org [149.210.225.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40F3F76269; Fri, 11 Aug 2017 15:14:32 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (mail1.elvandar.org [IPv6:2001:470:d701::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 0C0E44707BD; Fri, 11 Aug 2017 17:14:29 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 45B7620C39; Fri, 11 Aug 2017 17:14:28 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_053F32CE-BC04-4500-AC9C-41D79BFFB0AC"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Fri, 11 Aug 2017 17:14:28 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 0C0E44707BD X-Spamd-Result: default: False [-6.43 / 15.00] RCVD_NO_TLS_LAST(0.00)[] HAS_ATTACHMENT(0.00)[] RCVD_COUNT_TWO(0.00)[2] FROM_HAS_DN(0.00)[] DMARC_NA(0.00)[FreeBSD.org] BAYES_HAM(-3.00)[100.00%] RCPT_COUNT_THREE(0.00)[3] MV_CASE(0.50)[] R_SPF_SOFTFAIL(0.00)[~all] TO_DN_SOME(0.00)[] MID_RHS_MATCH_FROM(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] IP_SCORE(-3.73)[ip: (-8.76), ipnet: 2001:470::/32(-6.86), asn: 6939(-2.29), country: US(-0.74)] MIME_GOOD(-0.20)[multipart/signed,text/plain] R_DKIM_NA(0.00)[] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 15:14:33 -0000 --Apple-Mail=_053F32CE-BC04-4500-AC9C-41D79BFFB0AC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Roger, > On 11 Aug 2017, at 04:41, Roger Marquis wrote: >=20 > In the past pkg-audit and even pkg-version have not been reliable = tools > where installed ports or packages have been subsequently discontinued = or > renamed. Today, however, I notice that dovecot2 is still showing up = in > the output of pkg-version despite the port having been renamed to > dovecot (without the numeric suffix) several days ago. Yes, there is a difference between renaming a port, and renaming the = vuxml (which is the database behind pkg audit etc.) entries. The entries are listed as = =E2=80=98dovecot2-*=E2=80=99 there and when renaming a port these entries should ideally be renamed too. It seems that that was not under consideration at the name change = moment(s). I=E2=80=99ll try to look into this (starting by prodding the person(s) = who did the rename) and asking them to rename the entries in vuxml as well. >=20 > Does this mean there has been a policy change? If so does it cover > pkg-audit as well? There had been no policy change. The application backend is just = matching on what was recorded at the moment it was added. Thanks for the notification though, we should add that to the = porters-handbook. Cheers REmko >=20 > Roger > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_053F32CE-BC04-4500-AC9C-41D79BFFB0AC Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjcnUAAoJEHE1jtY/d0B5a7wP/jwjkobRgj1I4m471O5zFjEk h/gWhQlALUQSEOO2R/s4UlQDVDtbq4y+4IW0NVGBjps5JiYF8IQNMLtdhsM59TU+ XyQ+qLJKecTCX/pxIdgHg0ZwMnl5mvtozixMR41DVVHogxfaPjyiH0YhHBz0VMhG Q6P9sqY0N1aTBEg60yd0BB5zJ5OY4N3MX+sODxDif114RHly5codset2HRnESUhm Isv7bBw0463M2zjOHE94NuAJy7/bkep6IZ7HjyWAy6yBcIQ9AlHq9LzKvIlL7cZ4 ZBsbHQH7/4jwBzEZYJhu9mIyQn2nCHtmaFEyNpyhghBf/wms0p8y6X/shkLty/HP KaFGZ67azT0mtDR7XCrlNm3ciHeCC/xBWA9LVna+JFNuO5k2UKZn8wTYe34Ix+jl AVuPs2YvWFPrEtvOyi3rvlRABYajYr3pYZjDXZAnS0HBfxQcOAUlTljudoyJv/IV zn0raWOKKGsICYqn0ZndN3LOL6NmLXfZAR8+o6DzP5NCn3zMgNudK7y38uiAcTTy jeLW+O2Eeh+doxW5pHRJQqcjmE/ukZ8kksYankZpScX5joU6DO+XhvmaMH+6pVJ+ dqw9iX4FiW5rrCiIRgsprLl3eFDn67tzM+n7n5yaNlw9ICk2n12BK28K8iqOi5Ct /FCTg4Z5AiqNuCvh23uH =QAqC -----END PGP SIGNATURE----- --Apple-Mail=_053F32CE-BC04-4500-AC9C-41D79BFFB0AC-- From owner-freebsd-pkg@freebsd.org Fri Aug 11 16:51:32 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA6BFDDAA1C for ; Fri, 11 Aug 2017 16:51:32 +0000 (UTC) (envelope-from steve@Watt.COM) Received: from mail.Watt.COM (mail.watt.com [96.95.204.249]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9FE3F7E0BC for ; Fri, 11 Aug 2017 16:51:32 +0000 (UTC) (envelope-from steve@Watt.COM) Received: from nekonew (c-76-102-252-13.hsd1.ca.comcast.net [76.102.252.13]) (authenticated bits=0) by mail.Watt.COM (8.14.4/8.14.4) with ESMTP id v7BGd9SH083922 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for ; Fri, 11 Aug 2017 09:39:09 -0700 (PDT) (envelope-from steve@Watt.COM) From: "Steve Watt" To: Subject: pkg insistent on installing php56 and php70 on php71 box Date: Fri, 11 Aug 2017 09:39:02 -0700 Message-ID: <222201d312c0$5a974440$0fc5ccc0$@Watt.COM> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdMSwEGaIvtGmPnIQ9uy6orAS0nKBA== Content-Language: en-us X-Archived: 1502469549.509902372@wattres.Watt.COM X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.Watt.COM [96.95.204.249]); Fri, 11 Aug 2017 09:39:09 -0700 (PDT) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 16:51:32 -0000 Greetings! I have a 10.3-RELEASE-p18 system that is configured with php71. I have added "DEFAULT_VERSIONS+= php=71" to /etc/make.conf. I am attempting to do a general package upgrade, but pkg insists on installing php56, which of course conflicts. Here's what pkg info has to say about the php packages on my system: - - - 8< - - - (root@rivendell) 625# pkg info -g php\* php71-7.1.7 php71-bcmath-7.1.7 php71-bz2-7.1.7 php71-calendar-7.1.7 php71-ctype-7.1.7 php71-curl-7.1.7 php71-dba-7.1.7 php71-dom-7.1.7 php71-enchant-7.1.7 php71-exif-7.1.7 php71-extensions-1.0 php71-fastdfs-5.0.10 php71-fileinfo-7.1.7 php71-filter-7.1.7 php71-ftp-7.1.7 php71-gd-7.1.7 php71-gettext-7.1.7 php71-gmp-7.1.7 php71-hash-7.1.7 php71-iconv-7.1.7 php71-imap-7.1.7 php71-interbase-7.1.7 php71-intl-7.1.7 php71-json-7.1.7 php71-ldap-7.1.7 php71-mbstring-7.1.7_1 php71-mcrypt-7.1.7 php71-memcache-3.0.8_1 php71-mysqli-7.1.7 php71-odbc-7.1.7 php71-opcache-7.1.7 php71-openssl-7.1.7 php71-pcntl-7.1.7 php71-pdo-7.1.7 php71-pdo_dblib-7.1.7 php71-pdo_firebird-7.1.7 php71-pdo_mysql-7.1.7 php71-pdo_odbc-7.1.7 php71-pdo_pgsql-7.1.7 php71-pdo_sqlite-7.1.7 php71-pgsql-7.1.7 php71-phar-7.1.7 php71-posix-7.1.7 php71-pspell-7.1.7 php71-readline-7.1.7 php71-recode-7.1.7 php71-session-7.1.7 php71-shmop-7.1.7 php71-simplexml-7.1.7 php71-snmp-7.1.7 php71-soap-7.1.7 php71-sockets-7.1.7 php71-sqlite3-7.1.7 php71-sysvmsg-7.1.7 php71-sysvsem-7.1.7 php71-sysvshm-7.1.7 php71-tidy-7.1.7 php71-tokenizer-7.1.7 php71-wddx-7.1.7 php71-xml-7.1.7 php71-xmlreader-7.1.7 php71-xmlrpc-7.1.7 php71-xmlwriter-7.1.7 php71-xsl-7.1.7 php71-zip-7.1.7 php71-zlib-7.1.7 - - - >8 - - - And when I attempt an upgrade of just php\*, it wants to install php56 and php70 packages: - - - 8< - - - (root@rivendell) 626# pkg upgrade -g php\* Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. pkg: pecl-pdflib has a missing dependency: pdflib The following 482 package(s) will be affected (of 0 checked): New packages to be INSTALLED: php-Psr_Log: 1.0.2 php-arcanist: 20170630_1 php-composer: 1.4.1 php-facedetect: 1.1_6 php-gdal: 2.2.1 php-geos: 1.0.0 php-geshi: 1.0.9.0 php-horde_lz4: 1.0.10 php-jq: 0.0.1_1 php-libawl: 0.57 php-libphutil: 20170630 php-libpuzzle: 0.11_3 php-magickwand: 1.0.9_6 php-maxminddb: 1.1.0_1 php-mdcached: 1.0.9_1 php-mecab: 0.6.0_1 php-memoize: 0.2.0b1_3 php-mode.el: 1.18.2 php-opencc: 0.0.0.20161110 php-pHash: 0.9.6_2 php-phabricator: 20170630_1 php-scalar_objects: 0.0.20140124_2 php-screw: 1.5_1 php-snappy: 0.1.6 php-suhosin: 0.9.38_3 php-tclink: 4.0.2_2 php-templates: 1.7.2_2 php-uprofiler: 0.11.0.20150219_1 php-xapian: 1.4.4 php-xdebug: 2.5.0 php5-Ice: 3.6.3_2 php5-blitz: 0.8.2_1 php5-blitz-devel: 0.7.2_1 php5-bsdconv: 11.3.0_1 php5-dav: 1.2_2 php5-ffmpeg: 0.6.0.20120114_5 php5-pdo_cassandra: 0.2.1_10 php5-pinba: 2012.03.20_6 php5-tarantool: 20151222_1 php5-thrift: 0.9.3_1 php56: 5.6.31 php56-bcmath: 5.6.31 php56-bz2: 5.6.31 php56-calendar: 5.6.31 php56-ctype: 5.6.31 php56-curl: 5.6.31 php56-dba: 5.6.31 php56-dom: 5.6.31 php56-enchant: 5.6.31 php56-exif: 5.6.31 php56-extensions: 1.0 php56-fastdfs: 5.0.10 php56-fileinfo: 5.6.31 php56-filter: 5.6.31 php56-ftp: 5.6.31 php56-gd: 5.6.31 php56-gettext: 5.6.31 php56-gmp: 5.6.31 php56-hash: 5.6.31 php56-iconv: 5.6.31 php56-imap: 5.6.31 php56-interbase: 5.6.31 php56-json: 5.6.31 php56-ldap: 5.6.31 php56-mbstring: 5.6.31_1 php56-mcrypt: 5.6.31 php56-mssql: 5.6.31 php56-mysql: 5.6.31 php56-mysqli: 5.6.31 php56-odbc: 5.6.31 php56-opcache: 5.6.31 php56-openssl: 5.6.31 php56-pcntl: 5.6.31 php56-pdo: 5.6.31 php56-pdo_dblib: 5.6.31 php56-pdo_firebird: 5.6.31 php56-pdo_mysql: 5.6.31 php56-pdo_odbc: 5.6.31 php56-pdo_pgsql: 5.6.31 php56-pdo_sqlite: 5.6.31 php56-pgsql: 5.6.31 php56-phar: 5.6.31 php56-posix: 5.6.31 php56-pspell: 5.6.31 php56-readline: 5.6.31 php56-recode: 5.6.31 php56-session: 5.6.31 php56-shmop: 5.6.31 php56-simplexml: 5.6.31 php56-snmp: 5.6.31 php56-soap: 5.6.31 php56-sockets: 5.6.31 php56-sqlite3: 5.6.31 php56-sybase_ct: 5.6.31 php56-sysvmsg: 5.6.31 php56-sysvsem: 5.6.31 php56-sysvshm: 5.6.31 php56-tidy: 5.6.31 php56-tokenizer: 5.6.31 php56-wddx: 5.6.31 php56-xml: 5.6.31 php56-xmlreader: 5.6.31 php56-xmlrpc: 5.6.31 php56-xmlwriter: 5.6.31 php56-xsl: 5.6.31 php56-zip: 5.6.31 php56-zlib: 5.6.31 php70: 7.0.22 php70-bcmath: 7.0.22 php70-bz2: 7.0.22 php70-calendar: 7.0.22 php70-ctype: 7.0.22 php70-curl: 7.0.22 php70-dba: 7.0.22 php70-dom: 7.0.22 php70-enchant: 7.0.22 php70-exif: 7.0.22 php70-extensions: 1.1 php70-fastdfs: 5.0.10 php70-fileinfo: 7.0.22 php70-filter: 7.0.22 php70-ftp: 7.0.22 php70-gd: 7.0.22 php70-gettext: 7.0.22 php70-gmp: 7.0.22 php70-hash: 7.0.22 php70-iconv: 7.0.22 php70-imap: 7.0.22 php70-interbase: 7.0.22 php70-intl: 7.0.22 php70-json: 7.0.22 php70-ldap: 7.0.22 php70-mbstring: 7.0.22 php70-mcrypt: 7.0.22 php70-memcache: 3.0.8_1 php70-memcached: 3.0.0b1 php70-mysqli: 7.0.22 php70-odbc: 7.0.22 php70-opcache: 7.0.22 php70-openssl: 7.0.22 php70-pcntl: 7.0.22 php70-pdo: 7.0.22 php70-pdo_dblib: 7.0.22 php70-pdo_firebird: 7.0.22 php70-pdo_mysql: 7.0.22 php70-pdo_odbc: 7.0.22 php70-pdo_pgsql: 7.0.22 php70-pdo_sqlite: 7.0.22 php70-pgsql: 7.0.22 php70-phar: 7.0.22 php70-posix: 7.0.22 php70-pspell: 7.0.22 php70-readline: 7.0.22 php70-recode: 7.0.22 php70-session: 7.0.22 php70-shmop: 7.0.22 php70-simplexml: 7.0.22 php70-snmp: 7.0.22 php70-soap: 7.0.22 php70-sockets: 7.0.22 php70-sqlite3: 7.0.22 php70-sysvmsg: 7.0.22 php70-sysvsem: 7.0.22 php70-sysvshm: 7.0.22 php70-tidy: 7.0.22 php70-tokenizer: 7.0.22 php70-wddx: 7.0.22 php70-xml: 7.0.22 php70-xmlreader: 7.0.22 php70-xmlrpc: 7.0.22 php70-xmlwriter: 7.0.22 php70-xsl: 7.0.22 php70-zip: 7.0.22 php70-zlib: 7.0.22 phpLiteAdmin: 1.9.7.1 [ etc. ] - - - >8 - - - Is there some incantation I'm missing? -- Steve Watt KD6GGD PP-ASEL-IA factories.words.yappy Don't let your schooling get in the way of your education. From owner-freebsd-pkg@freebsd.org Fri Aug 11 18:45:47 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE613DE0F9C; Fri, 11 Aug 2017 18:45:47 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (gandalf.elvandar.org [149.210.225.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 57CC482B69; Fri, 11 Aug 2017 18:45:46 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 3EE4F4707BD; Fri, 11 Aug 2017 20:45:43 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 636CF20CEA; Fri, 11 Aug 2017 20:45:42 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_46158FDB-4140-4B4D-98CB-BD699CFEF515"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Fri, 11 Aug 2017 20:45:41 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 3EE4F4707BD X-Spamd-Result: default: False [2.24 / 15.00] MID_RHS_MATCH_FROM(0.00)[] MV_CASE(0.50)[] TO_MATCH_ENVRCPT_ALL(0.00)[] TO_DN_SOME(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] FROM_EQ_ENVFROM(0.00)[] ONCE_RECEIVED(0.10)[] RCVD_COUNT_ONE(0.00)[1] BAYES_HAM(-0.66)[82.73%] ARC_NA(0.00)[] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] RCPT_COUNT_THREE(0.00)[3] RCVD_TLS_ALL(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] R_DKIM_NA(0.00)[] FROM_HAS_DN(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] HAS_ATTACHMENT(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] IP_SCORE(0.50)[ip: (0.25), ipnet: 80.56.0.0/16(0.35), asn: 6830(2.20), country: AT(-0.30)] REPLY(-2.00)[] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] R_SPF_SOFTFAIL(0.00)[~all] DMARC_NA(0.00)[FreeBSD.org] X-Rspamd-Server: mx1.jr-hosting.nl X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 18:45:47 -0000 --Apple-Mail=_46158FDB-4140-4B4D-98CB-BD699CFEF515 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Roger, > On 11 Aug 2017, at 17:14, Remko Lodder wrote: >=20 > Hi Roger, >=20 >> On 11 Aug 2017, at 04:41, Roger Marquis wrote: >>=20 >> In the past pkg-audit and even pkg-version have not been reliable = tools >> where installed ports or packages have been subsequently discontinued = or >> renamed. Today, however, I notice that dovecot2 is still showing up = in >> the output of pkg-version despite the port having been renamed to >> dovecot (without the numeric suffix) several days ago. >=20 It had been resolved for dovecot (it will now match both variants, since = people might still have the old variant of the port installed) and there is a new paragraph = added to the porters handbook which tells that we need to have a look at the vuxml entries. Hope this solves your issue, Remko --Apple-Mail=_46158FDB-4140-4B4D-98CB-BD699CFEF515 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjftVAAoJEHE1jtY/d0B5XxcP/0JRzGvtDdWeHacANuSPSCVx Yqzu7ni4k1NFJ6FNz1hRxgT2954mExr8ccOGZ9TyGih+sTORgNaCwvQHpVcgF/SW jjr/AFjQktUmsbZEeKMrHW8nQrGpcZ8xChTvvSTjKBduGq95YQX8lb2HUzmI+IzG SIOMsyn3kZxBfhL4cHb/2OYsXL4OfvsUKCXYQHs271i2uTuQ9Zr+7ejli1i+AcwJ lI1HHOZiQXC8Ai25vKowG5s6wY2rSvi3F7zkj+UdWxHLWq0G6pTUgVMX/2dulfhi KdJIGiyS8kVw0ilZzmqSsYpOr8GeIt5qjOGXvVnLOtU8GKclfJ+5xe5yccfvzgcP OPZl2IrzdWDlgiV2gdgjv7sljYxPG5P3iMSnuXeVvqEjhxdqQaIRk80IbwftuUXA ZeK3CNk8ch23uhZ2+15agVVMwfupC4MSb3LWOl7jMgUmji4Ldwn35CB9wdK00qre 3UJNSovWowbSh8Wq6V1lCiAS3D2aUzljAt+Zw51G1uvThQIgmMH0GoyBvBgMY+By ZhYttoZ8YP7UlFElBwGnRSpkkhk2JvI5AOmmMuBlAoG6hfo6zwN1y0gR3rtuJsUF A9Piwl/82VWiTdb7DR7JiJsOsOZyzS3xwvKSuzdSeNYWXZ0xP1hFcH8ydBeK/ieb G6JBfjDAwVJwuLHTyQ1/ =ZsdQ -----END PGP SIGNATURE----- --Apple-Mail=_46158FDB-4140-4B4D-98CB-BD699CFEF515-- From owner-freebsd-pkg@freebsd.org Fri Aug 11 21:47:38 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F61DDC8F1F; Fri, 11 Aug 2017 21:47:38 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0FBFE65D19; Fri, 11 Aug 2017 21:47:37 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 1C8E43D04E; Fri, 11 Aug 2017 14:47:37 -0700 (PDT) Date: Fri, 11 Aug 2017 14:47:37 -0700 (PDT) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 21:47:38 -0000 > It had been resolved for dovecot (it will now match both variants, since people might still have > the old variant of the port installed) and there is a new paragraph added to the porters handbook > which tells that we need to have a look at the vuxml entries. Thanks Remko. > Hope this solves your issue, It may for renamed ports/pkgs but doesn't appear to for deprecations. Once ports are dropped they do not show up in pkg-audit despite having been installed via pkg and/or ports. That's the false negative that appears to still be a problem. Roger From owner-freebsd-pkg@freebsd.org Fri Aug 11 21:55:19 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EC2EDC987F; Fri, 11 Aug 2017 21:55:19 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DACC466336; Fri, 11 Aug 2017 21:55:18 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (mail1.elvandar.org [IPv6:2001:470:d701::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id CB9274707BD; Fri, 11 Aug 2017 23:55:16 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 7922020D7F; Fri, 11 Aug 2017 23:55:14 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Fri, 11 Aug 2017 23:55:13 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: CB9274707BD X-Spamd-Result: default: False [-3.41 / 15.00] RCVD_NO_TLS_LAST(0.00)[] HAS_ATTACHMENT(0.00)[] RCVD_COUNT_TWO(0.00)[2] FROM_HAS_DN(0.00)[] DMARC_NA(0.00)[FreeBSD.org] BAYES_HAM(-0.00)[23.92%] RCPT_COUNT_THREE(0.00)[3] MV_CASE(0.50)[] R_SPF_SOFTFAIL(0.00)[~all] TO_DN_SOME(0.00)[] MID_RHS_MATCH_FROM(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] IP_SCORE(-3.71)[ip: (-8.72), ipnet: 2001:470::/32(-6.83), asn: 6939(-2.27), country: US(-0.74)] MIME_GOOD(-0.20)[multipart/signed,text/plain] R_DKIM_NA(0.00)[] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 21:55:19 -0000 --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 11 Aug 2017, at 23:47, Roger Marquis wrote: >=20 >> It had been resolved for dovecot (it will now match both variants, = since people might still have >> the old variant of the port installed) and there is a new paragraph = added to the porters handbook >> which tells that we need to have a look at the vuxml entries. >=20 > Thanks Remko. No problemo :) >=20 >> Hope this solves your issue, >=20 > It may for renamed ports/pkgs but doesn't appear to for deprecations. > Once ports are dropped they do not show up in pkg-audit despite having > been installed via pkg and/or ports. That's the false negative that > appears to still be a problem. Ports / pkgs that get renamed are now changed and/or added in VuXML as = well. So the old variant and the new variant of the name=E2=80=99s would both = be listed in pkg audit. pkg audit parses VuXML, it also does a check on what is locally = registered in it=E2=80=99s database. For example if you have a/b installed. And that has a marking in VuXML : = b then it would hit on the package you have. If a/b gets removed for some = reason, and it is still in VuXML and you have it locally registered. Then it would be still be matched = (or should). If an entry is removed from the ports/pkg tree=E2=80=99s and it is also = removed from VuXML, then yes, it will no longer get marked in your local installation. That=E2=80=99s a bit of = a chicken and egg basically. Although I do not recall that it ever happened that ports that are no longer = there, are removed from VuXML as well. (And I follow that since 2004). Do you have a more concrete example that we can dive into to see what is = going on/going wrong? Cheers Remko >=20 > Roger --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjifBAAoJEHE1jtY/d0B5CRkP/iPVVWv9ZhpTFjXCf2duTnsP zaHYlZVlBZ3dPOEd/F5maMQ5Q/Mf1MdBEjt3vai10BgHNDE6bplIn7j1XMRh9y3R qxPFOJNFKH7GJ9vcsQzv8VcsrIY1cYpCaEbveBJDJr53R7Yiq6LY049P5HdMZF3l qdY8jJbNdBxr8RVO7fTZMexz/VpQdOC6vTThhoC08eBkx6dFd5r2Gfjl1d4fF5dB 1tfowdISFN2ghVtF1tjh8MfDYvcCjQ1ay/7mdSrACjvqdqTF21i6IQ88PVMZI8nV iiBpJRFLxCPxRKkFmTZbkWnykMpc+SoU/UjgIWIBGXW8bJA96y/Z8UmWgPkYEycd 1SUOj+wBIjldUj8hyv+29jDQMpV5Y2hZQ+AXzUwdS8pt8zKK54XDHXGDVl7nSviF pSrB18xvGUDDRIpnWNNxuXY0LyVjh+U2UY1gSc1AC1OcMJbvypaCiOWIa3ksfmCX 4poeECse8Xn51V++DZvUyy9Xn9fRd+uP233gdNMvZfEHzHQxe98gjyuOk7Jab24q dPeTMHltbaeEA3GRb1KUIv/Tvf4P7qN3mo53mopaYbInD5myO5LOtUhCY3aova+L OaZqdzkzcjqlQcxW4YV/mQcjmvKWKFhwFfinJ5xkTXn7+Y3+v0Cf1gCLff32AMog Gpiu/aQ1iTEdwcElJfzk =RYqE -----END PGP SIGNATURE----- --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD-- From owner-freebsd-pkg@freebsd.org Sat Aug 12 00:37:57 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BBA25DD30D0; Sat, 12 Aug 2017 00:37:57 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AC4286B744; Sat, 12 Aug 2017 00:37:57 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id C82053D395; Fri, 11 Aug 2017 17:37:56 -0700 (PDT) Date: Fri, 11 Aug 2017 17:37:56 -0700 (PDT) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 00:37:57 -0000 On Fri, 11 Aug 2017, Remko Lodder wrote: > If an entry is removed from the ports/pkg tree?s and it is also removed > from VuXML, then yes, it will no longer get marked in your local > installation. That?s a bit of a chicken and egg basically. Although I do > not recall that it ever happened that ports that are no longer there, are > removed from VuXML as well. (And I follow that since 2004). > > Do you have a more concrete example that we can dive into to see what is > going on/going wrong? Should be able to find missing vulxml entries for most anything that has been deprecated from the ports tree but most of the ones I've seen are for web programming languages, particularly php. For example when php5X was dropped it also disappeared from vulxml, with no small number of servers still using it. If those sites depended on pkg-audit to tell them they had a vulnerability, well, they were out of luck. There was no warning, no error, no disclaimer, pkg-audit did and still does nothing different than it would for a non-vulnerable port or package. There may be more vulnerabilities in the wild from non-packaged base as it is larger but at least people are working on that. Pkg-audit tracking of installed but deprecated ports OTOH, seems to have fallen through the cracks. Even the FreeBSD Foundation and the ports-security teams appear to be ignoring this issue. Roger Marquis From owner-freebsd-pkg@freebsd.org Sat Aug 12 07:57:48 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E073DC4AA3; Sat, 12 Aug 2017 07:57:48 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 435A67C5A4; Sat, 12 Aug 2017 07:57:48 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 682E14707BD; Sat, 12 Aug 2017 09:57:44 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id C32E320E86; Sat, 12 Aug 2017 09:57:43 +0200 (CEST) From: Remko Lodder Message-Id: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Sat, 12 Aug 2017 09:57:43 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 682E14707BD X-Spamd-Result: default: False [3.58 / 15.00] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] IP_SCORE(0.49)[ip: (0.25), ipnet: 80.56.0.0/16(0.34), asn: 6830(2.17), country: AT(-0.30)] HAS_ATTACHMENT(0.00)[] DMARC_NA(0.00)[FreeBSD.org] FROM_HAS_DN(0.00)[] BAYES_HAM(-1.31)[90.15%] MV_CASE(0.50)[] RCPT_COUNT_THREE(0.00)[3] R_SPF_SOFTFAIL(0.00)[~all] MID_RHS_MATCH_FROM(0.00)[] TO_DN_SOME(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] ONCE_RECEIVED(0.10)[] RCVD_TLS_ALL(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCVD_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 07:57:48 -0000 --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 12 Aug 2017, at 02:37, Roger Marquis wrote: > > On Fri, 11 Aug 2017, Remko Lodder wrote: > >> If an entry is removed from the ports/pkg tree?s and it is also removed >> from VuXML, then yes, it will no longer get marked in your local >> installation. That?s a bit of a chicken and egg basically. Although I do >> not recall that it ever happened that ports that are no longer there, are >> removed from VuXML as well. (And I follow that since 2004). >> Do you have a more concrete example that we can dive into to see what is >> going on/going wrong? > > Should be able to find missing vulxml entries for most anything that has > been deprecated from the ports tree but most of the ones I've seen are > for web programming languages, particularly php. I do not think that holds: 17521 php -- multiple vulnerabilities 17522 17523 17524 php55 17525 5.5.38 17526 This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML at least. Can you show such a packet from your local installation(s) and present a ``pkg audit -F`` along side it. I would also like to see a detailed pkg info from the affected pkg. Thanks a lot in advance, Remko > > For example when php5X was dropped it also disappeared from vulxml, with > no small number of servers still using it. If those sites depended on > pkg-audit to tell them they had a vulnerability, well, they were out of > luck. There was no warning, no error, no disclaimer, pkg-audit did and > still does nothing different than it would for a non-vulnerable port or > package. > > There may be more vulnerabilities in the wild from non-packaged base as > it is larger but at least people are working on that. Pkg-audit > tracking of installed but deprecated ports OTOH, seems to have fallen > through the cracks. Even the FreeBSD Foundation and the ports-security > teams appear to be ignoring this issue. > > Roger Marquis --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjrT4AAoJEHE1jtY/d0B5OFYP/R3Zlv0rIzluQXnqbcA/L5wI aHZqFA0aeDOKjNv7RwwzuU/nltJteo775++svkVsEKvtiCBOaQ9M0fGOWWHiQETc XpgD/3QeNgh94eMhPxZnJ+kcnRE915EDpSbiYkbxbMvi2+yvdM0qvxIzZtVJqgoo Enb7LtoLLxFxMp0CZdYs5YnVqMGVFn6Ce66VqtT7e1jOUvHQFk5UeJOxxPwE4tBL kwsP2cl5swTBfjbkQx6wh8JnWIHxM/htnB1556u79QzXPUAa+Bn0bgviz30N10oV IycI7Mu1uTRbD+o4GuXPbjpYG/7+/nwD9kv8yYOotdkCIYvPfyVcVJXlxy8Leo4T erq9cnk2aHaL0TjjFmXHyzFhkufcIph009AxhSZ6SffavOGcK24DpdjuKG72HcUj 0QKGcDmXgp/Qyv50SUeQ+2VyoFRIAgnj8ev2lnxOthZ7fSwJr8Cs4lGvFEnHBsmV hLVYMiS2CdUMMJhNd1PgOoQ2lThk72Du0x6Suq2GTTcbojebIJWincNhTBFlZMl2 VVZDUDLFJDtZPdtAjrjHSIBjibgrNS0RD3uqmW/7xfQ7YKpUhoJQw+gWJvnmxmaz 1F8g3DbVKz1ndiicYxW4E4BSM1IliZ/T5xbSRxFskbNwWvfUj71zl3SPphFw6kP8 uyyHjfgfS7YqMaax7KFy =SYla -----END PGP SIGNATURE----- --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE-- From owner-freebsd-pkg@freebsd.org Sat Aug 12 17:13:38 2017 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFD9FD94795 for ; Sat, 12 Aug 2017 17:13:38 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id C14F669343 for ; Sat, 12 Aug 2017 17:13:38 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: by mailman.ysv.freebsd.org (Postfix) id C09A6D94794; Sat, 12 Aug 2017 17:13:38 +0000 (UTC) Delivered-To: pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0340D94793 for ; Sat, 12 Aug 2017 17:13:38 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [IPv6:2001:1440:5001:1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "uucp.dinoex.sub.de", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBB269342 for ; Sat, 12 Aug 2017 17:13:38 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [194.45.71.2]) by uucp.dinoex.sub.de (8.15.2/8.14.9) with ESMTPS id v7CHD4ac054735 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 12 Aug 2017 19:13:04 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) X-MDaemon-Deliver-To: Received: from citylink.dinoex.sub.org (uucp@localhost) by uucp.dinoex.sub.de (8.15.2/8.14.9/Submit) with UUCP id v7CHD46X054734 for pkg@FreeBSD.org; Sat, 12 Aug 2017 19:13:04 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) by citylink.dinoex.sub.de (8.15.2/8.15.2) with ESMTP id v7CGRcgF008767 for ; Sat, 12 Aug 2017 18:27:38 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from disp.oper.dinoex.org (disp-e.oper.dinoex.org [192.168.97.18]) by gate.oper.dinoex.org (8.15.2/8.15.2) with ESMTP id v7CGQ8R9008514 for ; Sat, 12 Aug 2017 18:26:08 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Newsgroups: m2n.fbsd.stable X-Mozilla-News-Host: news://localhost:119 To: pkg@FreeBSD.org From: Peter Subject: errors from port make (analyzed: bug in pkg) Message-ID: Date: Sat, 12 Aug 2017 18:25:24 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:51.0) Gecko/20100101 Firefox/51.0 SeaMonkey/2.48 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Milter: Spamilter (Reciever: uucp.dinoex.sub.de; Sender-ip: 194.45.71.2; Sender-helo: uucp.dinoex.sub.de; ) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (uucp.dinoex.sub.de [194.45.71.2]); Sat, 12 Aug 2017 19:13:05 +0200 (CEST) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 17:13:39 -0000 For a long time already, I get these strange messages whenever building a port: pkg: Bad argument on pkg_set 2143284626 Today I looked into it, and found it is easily reproducible: # pkg audit whatever pkg: Bad argument on pkg_set 2143284618 0 problem(s) in the installed packages found. # Looking closer, I found this offending call in src/audit.c:exec_audit(): pkg_set(pkg, PKG_UNIQUEID, name); This goes into libpkg/pkg.c:pkg_vset(), but there nobody is interested in an UNIQUEID parameter, so that the parameter does not get fetched from the va_list. It does not do any harm, but it is ugly. Please fix.