Date: Wed, 5 Feb 2014 16:07:01 -0500 (EST) From: Garrett Wollman <wollman@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/186497: Local overrides for pkg audit Message-ID: <201402052107.s15L719U014762@hergotha.csail.mit.edu> Resent-Message-ID: <201402052110.s15LA0t5007115@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 186497 >Category: ports >Synopsis: Local overrides for pkg audit >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Feb 05 21:10:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 9.2-RELEASE-p2 amd64 >Organization: none >Environment: System: FreeBSD hergotha.csail.mit.edu 9.2-RELEASE-p2 FreeBSD 9.2-RELEASE-p2 #12 r259226: Wed Dec 11 16:42:55 EST 2013 wollman@hergotha.csail.mit.edu:/usr/obj/usr/src/sys/HERGOTHA amd64 pkg 1.2.5 >Description: pkg audit reports many vulnerabilities which are configuration-dependent. It would be nice to have a local override file to silence warnings about vulnerabilities that the administrator has determined to be inapplicable or has applied a workaround for. >How-To-Repeat: Run pkg audit on a 9.x system with openssh-portable-6.2.p2_5,1 installed. The vulnerability only applies when AES-GCM is in use, which the OpenSSL on 9.x does not support. >Fix: Probably add a new data file to read with a list of vuln IDs to acknowledge, and an option flag to pkg audit to show all vulns including those that were silenced. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402052107.s15L719U014762>