From owner-freebsd-questions@FreeBSD.ORG Mon Oct 31 06:45:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A818116A41F for ; Mon, 31 Oct 2005 06:45:56 +0000 (GMT) (envelope-from daniel@rimspace.net) Received: from anu.rimspace.net (203-217-29-35.perm.iinet.net.au [203.217.29.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00BDD43D49 for ; Mon, 31 Oct 2005 06:45:53 +0000 (GMT) (envelope-from daniel@rimspace.net) Received: by anu.rimspace.net (Postfix, from userid 10) id ECE14AFDE5; Mon, 31 Oct 2005 17:45:51 +1100 (EST) Received: by enki.rimspace.net (Postfix, from userid 1000) id 52AECBB54E8C; Mon, 31 Oct 2005 17:45:45 +1100 (EST) From: Daniel Pittman To: freebsd-questions@freebsd.org Date: Mon, 31 Oct 2005 17:45:45 +1100 Message-ID: <87oe56rxpi.fsf@rimspace.net> User-Agent: Gnus/5.110004 (No Gnus v0.4) XEmacs/21.5-b21 (corn, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: portaudit reports: how to exclude a specific vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 06:45:56 -0000 G'day. I am relatively new to FreeBSD, but failed to find an answer to this question in the handbook, manual pages, or other references about portaudit: At the moment, portaudit is reporting one vulnerability on my system, with the 'p5-Crypt-OpenPGP' package. There isn't, apparently, a release of this package available that resolves the issue. I have checked the advisory and I am quite happy that the specific problem is not going to hurt here, so I don't mind that the theoretically vulnerable version is installed.[1] I can't work out how to tell portaudit to stop bothering me about this particular vulnerability, though. Can I ask it to exclude a vulnerability, or (ever better) a vulnerability/package combination, from reports? I specifically /don't/ want to exclude the package from auditing, though, since I want to know if another security issue turns up for it. Thanks, Daniel Footnotes: [1] The specific issue is a cryptographic weakness that needs a specific and particularly unlikely bit of code written by us before it actually does anything. Not, as they say, going to happen.