Date: Tue, 23 Aug 2016 08:50:44 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: schmidt@ze.tum.de Cc: freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry In-Reply-To: <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de> References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de>
| previous in thread | raw e-mail | index | archive | help
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one. Exactly. The meta-discussion we're having is regarding the word 'audit' (in 'pkg audit'). When you or I audit a server or a site the client always wants to know about potential vulnerabilities as well as known ones. This is because the deliverable is a measure of risk, not just proven risks but also potential risks. Even the commercial scanning tools (Tripwire, Qualis ...) report on potential vulnerabilities as well as those documented in CVEs. > I have some servers that run legacy code that still needs > python24. Every one of this machines reports right now that there is a > vulnerable package installed and there is no way to tell pkg audit to > stop reporting it. If my reading of <www.cvedetails.com/vulnerability-list/vendor_id-1238/Python-Software-Foundation.html> is correct python24 has documented vulnerabilities. This is expected of deprecated software and the reason many of us want to know which installed packages are deprecated when we run 'pkg audit'. > Sure i can filter python24 from the pkg audit output so it doesn't trigger > the warning. Why not just 'grep vulnerable' if that's your goal, or 'grep -v deprecated' (or use a pkg flag to that effect if and when one becomes available)? > They are a different kind of Security risk and pkg audit should report > them by default as that, but not as vulnerability. But it's not reporting them as vulnerable, it is reporting them as deprecated or unmaintained. > There should be a way to state that the sysadmin is aware of the > outdated port and prevent pkg audit from reporting it Agreed though I expect such a report would see little use. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>