Date: Mon, 14 Aug 2017 10:56:26 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org> In-Reply-To: <nycvar.OFS.7.76.1708132022470.4437@eboyr.pbz> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz> <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> <nycvar.OFS.7.76.1708132022470.4437@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 14 Aug 2017, at 05:32, Roger Marquis <marquis@roble.com> wrote: > >> I do not think that holds: >> >> <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> >> 17521 <topic>php -- multiple vulnerabilities</topic> >> 17522 <affects> >> 17523 <package> >> 17524 <name>php55</name> >> 17525 <range><lt>5.5.38</lt></range> >> 17526 </package> >> >> This is an entry from svnweb, for php55, which was added in 2016(07-26). >> >> So this entry is there. Thus it did not disappear from VuXML at least. > > You are right Remko. It looks like there was a policy or at least a > practice change about a year ago. Even have an archived email from > Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not > doing sufficient fact rechecking, > > So we are safe from false negatives after all. Hurray, I can stop > relying on pkg-version (for this). > > That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that means that either an EN or SA had been released.. Cheers Remko > > Roger > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZkWW6AAoJEHE1jtY/d0B5QaYQALNZD0q8/a+htTsKjsHCg97e OFolUkZ3G0WCjA2r1NnHgvKo9J6+RYsJ8tAp5s7Qk1Z3S1PLhIENxD+sU29LtY0m q0XsKzBlGpHrNQSTeo4WsUlFfKi8Q7nP97y3uFNkEDm5LSZ6Z7rbmNnOnCa2cyQX 7EXtxGn/ajK4MMRupYJ8pS5y2wdyGNwp/itmf0xPN3MVXogmVn1QKTG22RxlMGjF dlY2cUko+ZbT2d1rqnToNriERQvAYDGqq6LljsJTvr2emCRxErCEEbAQ4JYGNKO1 q5xMQpj6pM3VQWtXsBErx+qYNuVKqivVtMpQfALSdiV9nPUIM4PO/novJzS7HL02 Kv0V6+IKuYMMaMScmnAPF/k4dBGrCDgDADxprqPWL48OfCxYb734cOHi1mqRD+ya 1WXT1BfqLjFSMMOnHlDhue8B9xmldmlvOQIjo7qyrFRq2qyg3qVSZONiR72rNjAD U7prq7wL68ItcNiAm1wLI+hiA995c6fnlr3T6WuzCh/cooOT0auQf/QoNHxWlbLB fQVftM6rcHfJVcWVSGeRkcqcIf0LwQc+97CviHPS9fJALzKgQCvwVkf5oTXJR7s9 XuS1rHO2rRVluBPZVSJ/4ypUguLo294FHkY6wLZnLfjZrPAkKgNusQg/lJ94Lx46 LRgu7+BNxUwyhFiuBEbM =XLMv -----END PGP SIGNATURE----- --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36CDFE51-3E9A-42EA-8182-2972CE519DDC>