Date: Sun, 26 Mar 2023 12:16:53 +0200 From: Hubert Tournier <hubert.tournier@gmail.com> To: freebsd-python@freebsd.org, FreeBSD-security@freebsd.org Subject: 45 vulnerable ports unreported in VuXML Message-ID: <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> In-Reply-To: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Hello, While working on pipinfo <https://github.com/HubTou/pipinfo>, an alternative Python packages management tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable by the Python Packaging Authority <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>; but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; ports security database. So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to check the 4.000+ FreeBSD ports for Python packages and found 45 of them vulnerable and unreported <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. I started producing new VuXML entries <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; for these vulnerable ports. *Please tell me if it's worth pursuing this effort?* In order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, vuxml <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of general interest to some of you? Best regards, PS: this approach could be extended to Rust crates, Ruby gems and so on with the vulnerabilities described in the OSV <https://osv.dev/>... [-- Attachment #2 --] <div dir="ltr">Hello,<div class="gmail_quote"><div dir="ltr"><div><br></div><div>While working on <a href="https://github.com/HubTou/pipinfo" target="_blank">pipinfo</a>, an alternative Python packages management tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable by the <a href="https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities" target="_blank">Python Packaging Authority</a> but not in <a href="https://www.vuxml.org/freebsd/index.html" rel="nofollow" target="_blank">FreeBSD VuXML</a> ports security database. </div><p dir="auto">So I made a <a href="https://github.com/HubTou/pysec2vuxml" target="_blank">pysec2vuxml</a> tool to check the 4.000+ FreeBSD ports for Python packages and found <a href="https://github.com/HubTou/pysec2vuxml/blob/main/results.txt" target="_blank">45 of them vulnerable and unreported</a>.</p> <p>I started producing <a href="https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt" target="_blank">new VuXML entries</a> for these vulnerable ports. <b>Please tell me if it's worth pursuing this effort?</b><br></p><p dir="auto">In order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, <a href="https://github.com/HubTou/vuxml" target="_blank">vuxml</a>, to demonstrate its use. This could be of general interest to some of you?<br></p><p>Best regards,<br></p><p>PS: this approach could be extended to Rust crates, Ruby gems and so on with the vulnerabilities described in the <a href="https://osv.dev/" target="_blank">OSV</a>...<br></p></div> </div></div>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A>