Date: Fri, 11 Aug 2017 17:37:56 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Remko Lodder <remko@FreeBSD.org> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz> In-Reply-To: <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 11 Aug 2017, Remko Lodder wrote: > If an entry is removed from the ports/pkg tree?s and it is also removed > from VuXML, then yes, it will no longer get marked in your local > installation. That?s a bit of a chicken and egg basically. Although I do > not recall that it ever happened that ports that are no longer there, are > removed from VuXML as well. (And I follow that since 2004). > > Do you have a more concrete example that we can dive into to see what is > going on/going wrong? Should be able to find missing vulxml entries for most anything that has been deprecated from the ports tree but most of the ones I've seen are for web programming languages, particularly php. For example when php5X was dropped it also disappeared from vulxml, with no small number of servers still using it. If those sites depended on pkg-audit to tell them they had a vulnerability, well, they were out of luck. There was no warning, no error, no disclaimer, pkg-audit did and still does nothing different than it would for a non-vulnerable port or package. There may be more vulnerabilities in the wild from non-packaged base as it is larger but at least people are working on that. Pkg-audit tracking of installed but deprecated ports OTOH, seems to have fallen through the cracks. Even the FreeBSD Foundation and the ports-security teams appear to be ignoring this issue. Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1708111716080.86615>