From owner-freebsd-security@freebsd.org Tue Aug 23 13:15:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAF2FBC315F for ; Tue, 23 Aug 2016 13:15:31 +0000 (UTC) (envelope-from weldon@excelsusphoto.com) Received: from veyron.excelsus.com (emmett.excelsus.com [74.93.113.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A675B1E41 for ; Tue, 23 Aug 2016 13:15:29 +0000 (UTC) (envelope-from weldon@excelsusphoto.com) Received: from localhost (localhost [127.0.0.1]) by veyron.excelsus.com (Postfix) with ESMTP id 6B33214F0 for ; Tue, 23 Aug 2016 08:08:22 -0500 (CDT) Received: from veyron.excelsus.com ([127.0.0.1]) by localhost (mail.excelsus.com [127.0.0.1]) (maiad, port 10024) with ESMTP id 39220-03 for ; Tue, 23 Aug 2016 08:08:12 -0500 (CDT) Received: by veyron.excelsus.com (Postfix, from userid 80) id 816FE14ED; Tue, 23 Aug 2016 08:08:12 -0500 (CDT) To: freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Date: Tue, 23 Aug 2016 08:08:12 -0500 From: Weldon Godfrey Message-ID: <80eda92991512e9c50915536e7793396@excelsusphoto.com> X-Sender: weldon@excelsusphoto.com User-Agent: Roundcube Webmail/1.2.0 X-Virus-Scanned: Maia Mailguard X-Mailman-Approved-At: Tue, 23 Aug 2016 14:01:49 +0000 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 13:15:31 -0000 Gerhard Schmidt wrote: > Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one. An EOL product is typically no longer tracked, analyzed, and corrected for security vulnerabilities. With this higher risk profile, it is correct to assume it is vulnerable or at least a higher security risk. Since a clean report from pkg audit with EOL packages on the system will mislead the vast majority of end-users that they have a lower risk security profile. It is correct for pkg audit to warn on EOL packages. Especially since any actual vulnerabilities, that is almost certain to come up, will likely never show on a future report. From owner-freebsd-security@freebsd.org Tue Aug 23 15:02:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80F1EBC3434 for ; Tue, 23 Aug 2016 15:02:50 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4EAAF123D for ; Tue, 23 Aug 2016 15:02:50 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf0-x22b.google.com with SMTP id y134so44577188pfg.0 for ; Tue, 23 Aug 2016 08:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:reply-to:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kH19lsfnXcT8QjRlL8ZaDmwt5+79+ekznZIWvmCydDU=; b=HkQ4PImw4ucWaQ3zEAOIueildFbysBOuTjhX1I2mNVYpHaFiGQquESf01cplKH1ZOO 7HymfMMRAYsZvRInivJ3ugulSJmxK5k4UwFwn6QE/PnZCCut/roI2x4nOlBP5V5wRb18 ixxD/IqprWqyLffB0aX/+g644xvm8SOcf6q8d5KjJFSWUW6j5H7+KtWBe0gOoPxPrPc1 Y9w6jbncEPfLEKV56/kkGqKNv3jcwzSq8MoEhW6RSSVWVOK/48B58n3NNyqT2So4ZWgh YofM15egDdefHjuNGT1ObWFsOlQOTCtGuZLAs5so81xOQ4Y0IflRCtzDe6fvG7ATyNLk jh+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:reply-to:subject:references:to:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=kH19lsfnXcT8QjRlL8ZaDmwt5+79+ekznZIWvmCydDU=; b=mZ3t0lfsZvY7c41kCvyu5VPEFLZvuBadIL/lnyAwOPX+ov3uuYt6c96fXf/AXfCObT urITntMYea46fihltAnZLMPtpAjbBHdPYHcQsNiB5sICPspDgDeUhBaTmA6PyLdU5+sZ K8J9db9tpf5HC6uRRT+ro1SYKk4Ar6ZxBJ6OptYCbNwtWQKxOYysavnTJsaMeL0/2e88 cydW/FJ6Bf1Ik4KB8ZLuJlDYHihY9p28BndQZHebNAvy9P0NVYFHsJVd0kEXTaTFlg0o 9nSueLrANO322BhHu5vFkLWu052auOhYP/hDiK0QrFz+kpj5a/ZqN9vRaCbCVB9Rbtjt aDrg== X-Gm-Message-State: AEkoousBLLhpTFAHa/aPkuSlk4WW7ekHoH8rd4byEMWPg8pQWHth6/mUGWM6OMNK/htQXw== X-Received: by 10.98.192.144 with SMTP id g16mr54613615pfk.55.1471964569208; Tue, 23 Aug 2016 08:02:49 -0700 (PDT) Received: from ?IPv6:2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf? (2001-44b8-31ae-7b01-1c1a-5103-265d-bfaf.static.ipv6.internode.on.net. [2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf]) by smtp.gmail.com with ESMTPSA id y9sm6526841pay.25.2016.08.23.08.02.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Aug 2016 08:02:48 -0700 (PDT) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: Ports EOL vuxml entry References: <80eda92991512e9c50915536e7793396@excelsusphoto.com> To: Weldon Godfrey , freebsd-security@freebsd.org From: Kubilay Kocak Message-ID: <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> Date: Wed, 24 Aug 2016 01:02:42 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Thunderbird/50.0a2 MIME-Version: 1.0 In-Reply-To: <80eda92991512e9c50915536e7793396@excelsusphoto.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 15:02:50 -0000 On 23/08/2016 11:08 PM, Weldon Godfrey wrote: > Gerhard Schmidt wrote: > >> Is an outdated (EOL) port a vulnerability? I don't think so. It's >> a possible vulnerability, but not a real one. > > An EOL product is typically no longer tracked, analyzed, and > corrected for security vulnerabilities. With this higher risk > profile, it is correct to assume it is vulnerable or at least a > higher security risk. Since a clean report from pkg audit with EOL > packages on the system will mislead the vast majority of end-users > that they have a lower risk security profile. It is correct for pkg > audit to warn on EOL packages. Especially since any actual > vulnerabilities, that is almost certain to come up, will likely never > show on a future report. This (good) argument sounds primarily about classification and/or the ability or lack thereof to distinguish between types-of-things, which are not identical: * Explicit vulnerability ("Active", Official record (CVE, etc), will or likely/expected to be fixed) * Implicit (probable) vulnerability (by way of EoL, no fixes/support, may have CVE (forever), port/pkg deleted, etc) VuXML is about declaring/documenting vulnerabilities yes, but it's also about arming users with the information they need to make sound security decisions. Being prescriptive in *either* case is not really telling the full truth and feels unsatisfying. If and when we delete ports/packages of still-upstream-supported software (say they are BROKEN in latest FreeBSD versions) that have an active CVE's now or ever in the future, are they "vulnerable" according to what we want if a user has them installed? Should they be listed? Having said that, VuXML is a 'vulnerability markup language', and without an actual and explicit 'vulnerability', should it be listed? On solutions, perhaps this is a simple matter of --exclude-{deleted,eol,} or similar in pkg audit to tell the difference, allowing the user to make *note* of differences, and decide accordingly. I shall avoid the bikeshed on what the default should be. Or maybe an EoLXML. Read this generically as: a second or multiple data 'sources' for pkg audit, for auditing different things. Just free thinking here. ./koobs