Date: Tue, 23 Aug 2016 08:08:12 -0500 From: Weldon Godfrey <weldon@excelsusphoto.com> To: freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry Message-ID: <80eda92991512e9c50915536e7793396@excelsusphoto.com>
next in thread | raw e-mail | index | archive | help
Gerhard Schmidt <schmidt@ze.tum.de> wrote: > Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one. An EOL product is typically no longer tracked, analyzed, and corrected for security vulnerabilities. With this higher risk profile, it is correct to assume it is vulnerable or at least a higher security risk. Since a clean report from pkg audit with EOL packages on the system will mislead the vast majority of end-users that they have a lower risk security profile. It is correct for pkg audit to warn on EOL packages. Especially since any actual vulnerabilities, that is almost certain to come up, will likely never show on a future report. From owner-freebsd-security@freebsd.org Tue Aug 23 15:02:50 2016 Return-Path: <owner-freebsd-security@freebsd.org> Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80F1EBC3434 for <freebsd-security@mailman.ysv.freebsd.org>; Tue, 23 Aug 2016 15:02:50 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4EAAF123D for <freebsd-security@freebsd.org>; Tue, 23 Aug 2016 15:02:50 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf0-x22b.google.com with SMTP id y134so44577188pfg.0 for <freebsd-security@freebsd.org>; Tue, 23 Aug 2016 08:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:reply-to:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kH19lsfnXcT8QjRlL8ZaDmwt5+79+ekznZIWvmCydDU=; b=HkQ4PImw4ucWaQ3zEAOIueildFbysBOuTjhX1I2mNVYpHaFiGQquESf01cplKH1ZOO 7HymfMMRAYsZvRInivJ3ugulSJmxK5k4UwFwn6QE/PnZCCut/roI2x4nOlBP5V5wRb18 ixxD/IqprWqyLffB0aX/+g644xvm8SOcf6q8d5KjJFSWUW6j5H7+KtWBe0gOoPxPrPc1 Y9w6jbncEPfLEKV56/kkGqKNv3jcwzSq8MoEhW6RSSVWVOK/48B58n3NNyqT2So4ZWgh YofM15egDdefHjuNGT1ObWFsOlQOTCtGuZLAs5so81xOQ4Y0IflRCtzDe6fvG7ATyNLk jh+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:reply-to:subject:references:to:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=kH19lsfnXcT8QjRlL8ZaDmwt5+79+ekznZIWvmCydDU=; b=mZ3t0lfsZvY7c41kCvyu5VPEFLZvuBadIL/lnyAwOPX+ov3uuYt6c96fXf/AXfCObT urITntMYea46fihltAnZLMPtpAjbBHdPYHcQsNiB5sICPspDgDeUhBaTmA6PyLdU5+sZ K8J9db9tpf5HC6uRRT+ro1SYKk4Ar6ZxBJ6OptYCbNwtWQKxOYysavnTJsaMeL0/2e88 cydW/FJ6Bf1Ik4KB8ZLuJlDYHihY9p28BndQZHebNAvy9P0NVYFHsJVd0kEXTaTFlg0o 9nSueLrANO322BhHu5vFkLWu052auOhYP/hDiK0QrFz+kpj5a/ZqN9vRaCbCVB9Rbtjt aDrg== X-Gm-Message-State: AEkoousBLLhpTFAHa/aPkuSlk4WW7ekHoH8rd4byEMWPg8pQWHth6/mUGWM6OMNK/htQXw== X-Received: by 10.98.192.144 with SMTP id g16mr54613615pfk.55.1471964569208; Tue, 23 Aug 2016 08:02:49 -0700 (PDT) Received: from ?IPv6:2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf? (2001-44b8-31ae-7b01-1c1a-5103-265d-bfaf.static.ipv6.internode.on.net. [2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf]) by smtp.gmail.com with ESMTPSA id y9sm6526841pay.25.2016.08.23.08.02.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Aug 2016 08:02:48 -0700 (PDT) Sender: Kubilay Kocak <koobs.freebsd@gmail.com> Reply-To: koobs@FreeBSD.org Subject: Re: Ports EOL vuxml entry References: <80eda92991512e9c50915536e7793396@excelsusphoto.com> To: Weldon Godfrey <weldon@excelsusphoto.com>, freebsd-security@freebsd.org From: Kubilay Kocak <koobs@FreeBSD.org> Message-ID: <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> Date: Wed, 24 Aug 2016 01:02:42 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Thunderbird/50.0a2 MIME-Version: 1.0 In-Reply-To: <80eda92991512e9c50915536e7793396@excelsusphoto.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>; List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 23 Aug 2016 15:02:50 -0000 On 23/08/2016 11:08 PM, Weldon Godfrey wrote: > Gerhard Schmidt <schmidt@ze.tum.de> wrote: > >> Is an outdated (EOL) port a vulnerability? I don't think so. It's >> a possible vulnerability, but not a real one. > > An EOL product is typically no longer tracked, analyzed, and > corrected for security vulnerabilities. With this higher risk > profile, it is correct to assume it is vulnerable or at least a > higher security risk. Since a clean report from pkg audit with EOL > packages on the system will mislead the vast majority of end-users > that they have a lower risk security profile. It is correct for pkg > audit to warn on EOL packages. Especially since any actual > vulnerabilities, that is almost certain to come up, will likely never > show on a future report. This (good) argument sounds primarily about classification and/or the ability or lack thereof to distinguish between types-of-things, which are not identical: * Explicit vulnerability ("Active", Official record (CVE, etc), will or likely/expected to be fixed) * Implicit (probable) vulnerability (by way of EoL, no fixes/support, may have CVE (forever), port/pkg deleted, etc) VuXML is about declaring/documenting vulnerabilities yes, but it's also about arming users with the information they need to make sound security decisions. Being prescriptive in *either* case is not really telling the full truth and feels unsatisfying. If and when we delete ports/packages of still-upstream-supported software (say they are BROKEN in latest FreeBSD versions) that have an active CVE's now or ever in the future, are they "vulnerable" according to what we want if a user has them installed? Should they be listed? Having said that, VuXML is a 'vulnerability markup language', and without an actual and explicit 'vulnerability', should it be listed? On solutions, perhaps this is a simple matter of --exclude-{deleted,eol,<type>} or similar in pkg audit to tell the difference, allowing the user to make *note* of differences, and decide accordingly. I shall avoid the bikeshed on what the default should be. Or maybe an EoLXML. Read this generically as: a second or multiple data 'sources' for pkg audit, for auditing different things. Just free thinking here. ./koobs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?80eda92991512e9c50915536e7793396>