Date: Sun, 26 Mar 2023 12:16:53 +0200 From: Hubert Tournier <hubert.tournier@gmail.com> To: freebsd-python@freebsd.org, FreeBSD-security@freebsd.org Subject: 45 vulnerable ports unreported in VuXML Message-ID: <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> In-Reply-To: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000007856be05f7caeda6 Content-Type: text/plain; charset="UTF-8" Hello, While working on pipinfo <https://github.com/HubTou/pipinfo>, an alternative Python packages management tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable by the Python Packaging Authority <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>; but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; ports security database. So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to check the 4.000+ FreeBSD ports for Python packages and found 45 of them vulnerable and unreported <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. I started producing new VuXML entries <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; for these vulnerable ports. *Please tell me if it's worth pursuing this effort?* In order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, vuxml <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of general interest to some of you? Best regards, PS: this approach could be extended to Rust crates, Ruby gems and so on with the vulnerabilities described in the OSV <https://osv.dev/>... --0000000000007856be05f7caeda6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hello,<div class=3D"gmail_quote"><div dir=3D"ltr"><div><br= ></div><div>While working on=20 <a href=3D"https://github.com/HubTou/pipinfo" target=3D"_blank">pipinfo</a>= , an alternative Python packages management tool, I noticed that some Pytho= n packages installed as FreeBSD ports where marked as vulnerable by the <a href=3D"https://warehouse.pypa.io/api-= reference/json.html#known-vulnerabilities" target=3D"_blank">Python Packagi= ng Authority</a> but not in <a href=3D"https://www.vuxml.org/freebsd/index.= html" rel=3D"nofollow" target=3D"_blank">FreeBSD VuXML</a> ports security d= atabase. </div><p dir=3D"auto">So I made a <a href=3D"https://github.com/HubTou/pyse= c2vuxml" target=3D"_blank">pysec2vuxml</a> tool to check the 4.000+ FreeBSD= ports for Python packages and found <a href=3D"https://github.com/HubTou/p= ysec2vuxml/blob/main/results.txt" target=3D"_blank">45 of them vulnerable a= nd unreported</a>.</p> <p>I started producing <a href=3D"https://github.com/HubTou/pysec2vuxml/blo= b/main/vuxml_newentries.txt" target=3D"_blank">new VuXML entries</a> for th= ese vulnerable ports. <b>Please tell me if it's worth pursuing this eff= ort?</b><br></p><p dir=3D"auto">In order to verify if these vulnerable port= s where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, <a href=3D"https://github.com= /HubTou/vuxml" target=3D"_blank">vuxml</a>, to demonstrate its use. This co= uld be of general interest to some of you?<br></p><p>Best regards,<br></p><= p>PS: this approach could be extended to Rust crates, Ruby gems and so on w= ith the vulnerabilities described in the <a href=3D"https://osv.dev/" targe= t=3D"_blank">OSV</a>...<br></p></div> </div></div> --0000000000007856be05f7caeda6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A>