From owner-freebsd-security@freebsd.org Tue Aug 23 15:50:51 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6271BBC2017 for ; Tue, 23 Aug 2016 15:50:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 475FB17D0 for ; Tue, 23 Aug 2016 15:50:50 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 23 Aug 2016 08:50:44 -0700 (PDT) From: Roger Marquis To: schmidt@ze.tum.de cc: freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry In-Reply-To: References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 15:50:51 -0000 > Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one. Exactly. The meta-discussion we're having is regarding the word 'audit' (in 'pkg audit'). When you or I audit a server or a site the client always wants to know about potential vulnerabilities as well as known ones. This is because the deliverable is a measure of risk, not just proven risks but also potential risks. Even the commercial scanning tools (Tripwire, Qualis ...) report on potential vulnerabilities as well as those documented in CVEs. > I have some servers that run legacy code that still needs > python24. Every one of this machines reports right now that there is a > vulnerable package installed and there is no way to tell pkg audit to > stop reporting it. If my reading of is correct python24 has documented vulnerabilities. This is expected of deprecated software and the reason many of us want to know which installed packages are deprecated when we run 'pkg audit'. > Sure i can filter python24 from the pkg audit output so it doesn't trigger > the warning. Why not just 'grep vulnerable' if that's your goal, or 'grep -v deprecated' (or use a pkg flag to that effect if and when one becomes available)? > They are a different kind of Security risk and pkg audit should report > them by default as that, but not as vulnerability. But it's not reporting them as vulnerable, it is reporting them as deprecated or unmaintained. > There should be a way to state that the sysadmin is aware of the > outdated port and prevent pkg audit from reporting it Agreed though I expect such a report would see little use. Roger