Date: Sat, 12 Aug 2017 09:57:43 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> In-Reply-To: <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 12 Aug 2017, at 02:37, Roger Marquis <marquis@roble.com> wrote: > > On Fri, 11 Aug 2017, Remko Lodder wrote: > >> If an entry is removed from the ports/pkg tree?s and it is also removed >> from VuXML, then yes, it will no longer get marked in your local >> installation. That?s a bit of a chicken and egg basically. Although I do >> not recall that it ever happened that ports that are no longer there, are >> removed from VuXML as well. (And I follow that since 2004). >> Do you have a more concrete example that we can dive into to see what is >> going on/going wrong? > > Should be able to find missing vulxml entries for most anything that has > been deprecated from the ports tree but most of the ones I've seen are > for web programming languages, particularly php. I do not think that holds: <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> 17521 <topic>php -- multiple vulnerabilities</topic> 17522 <affects> 17523 <package> 17524 <name>php55</name> 17525 <range><lt>5.5.38</lt></range> 17526 </package> This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML at least. Can you show such a packet from your local installation(s) and present a ``pkg audit -F`` along side it. I would also like to see a detailed pkg info from the affected pkg. Thanks a lot in advance, Remko > > For example when php5X was dropped it also disappeared from vulxml, with > no small number of servers still using it. If those sites depended on > pkg-audit to tell them they had a vulnerability, well, they were out of > luck. There was no warning, no error, no disclaimer, pkg-audit did and > still does nothing different than it would for a non-vulnerable port or > package. > > There may be more vulnerabilities in the wild from non-packaged base as > it is larger but at least people are working on that. Pkg-audit > tracking of installed but deprecated ports OTOH, seems to have fallen > through the cracks. Even the FreeBSD Foundation and the ports-security > teams appear to be ignoring this issue. > > Roger Marquis --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjrT4AAoJEHE1jtY/d0B5OFYP/R3Zlv0rIzluQXnqbcA/L5wI aHZqFA0aeDOKjNv7RwwzuU/nltJteo775++svkVsEKvtiCBOaQ9M0fGOWWHiQETc XpgD/3QeNgh94eMhPxZnJ+kcnRE915EDpSbiYkbxbMvi2+yvdM0qvxIzZtVJqgoo Enb7LtoLLxFxMp0CZdYs5YnVqMGVFn6Ce66VqtT7e1jOUvHQFk5UeJOxxPwE4tBL kwsP2cl5swTBfjbkQx6wh8JnWIHxM/htnB1556u79QzXPUAa+Bn0bgviz30N10oV IycI7Mu1uTRbD+o4GuXPbjpYG/7+/nwD9kv8yYOotdkCIYvPfyVcVJXlxy8Leo4T erq9cnk2aHaL0TjjFmXHyzFhkufcIph009AxhSZ6SffavOGcK24DpdjuKG72HcUj 0QKGcDmXgp/Qyv50SUeQ+2VyoFRIAgnj8ev2lnxOthZ7fSwJr8Cs4lGvFEnHBsmV hLVYMiS2CdUMMJhNd1PgOoQ2lThk72Du0x6Suq2GTTcbojebIJWincNhTBFlZMl2 VVZDUDLFJDtZPdtAjrjHSIBjibgrNS0RD3uqmW/7xfQ7YKpUhoJQw+gWJvnmxmaz 1F8g3DbVKz1ndiicYxW4E4BSM1IliZ/T5xbSRxFskbNwWvfUj71zl3SPphFw6kP8 uyyHjfgfS7YqMaax7KFy =SYla -----END PGP SIGNATURE----- --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0F48B4BB-BB2C-479D-9F43-006D73C1E218>