From owner-freebsd-security@freebsd.org Mon Aug 14 08:56:29 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C210DDDEB4; Mon, 14 Aug 2017 08:56:29 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1BA873FE4; Mon, 14 Aug 2017 08:56:28 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 3D1FB4707BD; Mon, 14 Aug 2017 10:56:24 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 621DE20521; Mon, 14 Aug 2017 10:56:23 +0200 (CEST) From: Remko Lodder Message-Id: <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Mon, 14 Aug 2017 10:56:26 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 3D1FB4707BD X-Spamd-Result: default: False [1.89 / 15.00] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] IP_SCORE(0.49)[ip: (0.24), ipnet: 80.56.0.0/16(0.34), asn: 6830(2.15), country: AT(-0.30)] HAS_ATTACHMENT(0.00)[] DMARC_NA(0.00)[FreeBSD.org] FROM_HAS_DN(0.00)[] BAYES_HAM(-3.00)[100.00%] MV_CASE(0.50)[] RCPT_COUNT_THREE(0.00)[3] R_SPF_SOFTFAIL(0.00)[~all] MID_RHS_MATCH_FROM(0.00)[] TO_DN_SOME(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] ONCE_RECEIVED(0.10)[] RCVD_TLS_ALL(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCVD_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 08:56:29 -0000 --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 14 Aug 2017, at 05:32, Roger Marquis wrote: > >> I do not think that holds: >> >> >> 17521 php -- multiple vulnerabilities >> 17522 >> 17523 >> 17524 php55 >> 17525 5.5.38 >> 17526 >> >> This is an entry from svnweb, for php55, which was added in 2016(07-26). >> >> So this entry is there. Thus it did not disappear from VuXML at least. > > You are right Remko. It looks like there was a policy or at least a > practice change about a year ago. Even have an archived email from > Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not > doing sufficient fact rechecking, > > So we are safe from false negatives after all. Hurray, I can stop > relying on pkg-version (for this). > > That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that means that either an EN or SA had been released.. Cheers Remko > > Roger > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZkWW6AAoJEHE1jtY/d0B5QaYQALNZD0q8/a+htTsKjsHCg97e OFolUkZ3G0WCjA2r1NnHgvKo9J6+RYsJ8tAp5s7Qk1Z3S1PLhIENxD+sU29LtY0m q0XsKzBlGpHrNQSTeo4WsUlFfKi8Q7nP97y3uFNkEDm5LSZ6Z7rbmNnOnCa2cyQX 7EXtxGn/ajK4MMRupYJ8pS5y2wdyGNwp/itmf0xPN3MVXogmVn1QKTG22RxlMGjF dlY2cUko+ZbT2d1rqnToNriERQvAYDGqq6LljsJTvr2emCRxErCEEbAQ4JYGNKO1 q5xMQpj6pM3VQWtXsBErx+qYNuVKqivVtMpQfALSdiV9nPUIM4PO/novJzS7HL02 Kv0V6+IKuYMMaMScmnAPF/k4dBGrCDgDADxprqPWL48OfCxYb734cOHi1mqRD+ya 1WXT1BfqLjFSMMOnHlDhue8B9xmldmlvOQIjo7qyrFRq2qyg3qVSZONiR72rNjAD U7prq7wL68ItcNiAm1wLI+hiA995c6fnlr3T6WuzCh/cooOT0auQf/QoNHxWlbLB fQVftM6rcHfJVcWVSGeRkcqcIf0LwQc+97CviHPS9fJALzKgQCvwVkf5oTXJR7s9 XuS1rHO2rRVluBPZVSJ/4ypUguLo294FHkY6wLZnLfjZrPAkKgNusQg/lJ94Lx46 LRgu7+BNxUwyhFiuBEbM =XLMv -----END PGP SIGNATURE----- --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB--