From owner-freebsd-security@freebsd.org  Mon Aug 14 03:32:33 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A38DDCE987;
 Mon, 14 Aug 2017 03:32:33 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 19ADF6A671;
 Mon, 14 Aug 2017 03:32:32 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id DD30D3DEAD;
 Sun, 13 Aug 2017 20:32:25 -0700 (PDT)
Date: Sun, 13 Aug 2017 20:32:25 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Remko Lodder <remko@FreeBSD.org>
cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org
Subject: Re: pkg audit false negatives
In-Reply-To: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org>
Message-ID: <nycvar.OFS.7.76.1708132022470.4437@eboyr.pbz>
References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz>
 <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org>
 <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org>
 <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz>
 <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org>
 <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz>
 <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 03:32:33 -0000

> I do not think that holds:
>
> <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
> 17521	    <topic>php -- multiple vulnerabilities</topic>
> 17522	    <affects>
> 17523	      <package>
> 17524	        <name>php55</name>
> 17525	        <range><lt>5.5.38</lt></range>
> 17526	      </package>
>
> This is an entry from svnweb, for php55, which was added in 2016(07-26).
>
> So this entry is there. Thus it did not disappear from VuXML at least.

You are right Remko.  It looks like there was a policy or at least a
practice change about a year ago.  Even have an archived email from
Gerhard Schmidt who first noticed it back in Aug 2016.  My fault for not
doing sufficient fact rechecking,

So we are safe from false negatives after all.  Hurray, I can stop
relying on pkg-version (for this).

That leaves just unpackaged base as FreeBSD's remaining audit weakness.

Roger