From owner-freebsd-security@freebsd.org Thu Sep 8 00:21:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A1E5BD08C4 for ; Thu, 8 Sep 2016 00:21:27 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 14A7CDE4 for ; Thu, 8 Sep 2016 00:21:26 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 6E6F020792; Wed, 7 Sep 2016 20:21:25 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute7.internal (MEProxy); Wed, 07 Sep 2016 20:21:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=8wrw7pfK7q8L6Cj fTdfuTcxkt2c=; b=PK/eAp3nV+ifUUSy2x7680lI7RSOWbAyEgJa/XnqZK+Dlkr 1sjTU78Q7kW+D3QdwPU8/8Cje4dRh7CEsIgpNmPQgPoarGGlaP2+FEkiZBzWe1G0 exf5xUyFVKKX/OyHskWuJoBO1E0W1DIpRV6nBqkZILyehsOCZrJthxzJJmdY= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 48E1DCC752; Wed, 7 Sep 2016 20:21:25 -0400 (EDT) Message-Id: <1473294085.1278493.719031513.171C64A2@webmail.messagingengine.com> X-Sasl-Enc: BSFutNJZ+qbordm0YyCB8kexgLpkoguN7/x7kT4CemYM 1473294085 From: Mark Felder To: Ben Woods Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fa733828 In-Reply-To: References: <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> Subject: Re: using pkg audit to show base vulnerabilities Date: Wed, 07 Sep 2016 19:21:25 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2016 00:21:27 -0000 On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote: > > Just a thought, once we move to PkgBase, will this simply work work "pkg > audit"? > Yes, that's the plan as I know it. > Are the new vuxml entries in the correct format to detect for individual > base packages? > E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development > The current format is irrelevant as the vulnerabilities will not apply to a FreeBSD release that has pkg base. This is just a stopgap that has been hacked up. I also do not know what the base package names will be yet as I haven't played around with it, but we will be ensuring that vuxml entries are correctly added once pkg base is finalized. It will be possible to add entries that match for both older FreeBSD releases and new pkg base releases. > Are the new vuxml entries in a format that would support PkgBase for > releases as well as for stable/current? > E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939 > I don't know if it will be possible to match for stable/current users. Depends on the versioning scheme. -- Mark Felder ports-secteam member feld@FreeBSD.org