From owner-cvs-ports@FreeBSD.ORG Mon Mar 29 23:37:18 2004 Return-Path: Delivered-To: cvs-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84F1416A4DA; Mon, 29 Mar 2004 23:37:17 -0800 (PST) Received: from mail011.syd.optusnet.com.au (mail011.syd.optusnet.com.au [211.29.132.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E07443D49; Mon, 29 Mar 2004 23:37:15 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i2U7ar108110; Tue, 30 Mar 2004 17:36:54 +1000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])i2U7arNa074352; Tue, 30 Mar 2004 17:36:53 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i2U7aqg3074351; Tue, 30 Mar 2004 17:36:52 +1000 (EST) (envelope-from peter) Date: Tue, 30 Mar 2004 17:36:52 +1000 From: Peter Jeremy To: Oliver Eikemeier Message-ID: <20040330073652.GB74220@server.vk2pj.dyndns.org> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40686785.7020002@fillmore-labs.com> User-Agent: Mutt/1.4.2.1i cc: "Jacques A. Vidrine" cc: cvs-ports@freebsd.org cc: cvs-all@freebsd.org cc: ports-committers@freebsd.org Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 07:37:18 -0000 On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote: >I guess we have to add a severity tag then, to enable `soft' >vulnerabilities. I have an automated script that barks on unmarked >vulnerabilities, and it can't decide which vulnerability is >`important'. Let me offer two (admittedly hypothetical) examples as to why this can't work: 1) port "foo" has a severe IPv6 vulnerability: It includes a network daemon process which has a bug allowing an attacker to execute arbitrary commands as root by sending IPv6 packets. There's no vulnerability for IPv4. Despite the seriousness of this bug, it doesn't affect me because I don't run IPv6 - it's not even compiled into my kernel. 2) port "bar" has an apparently trivial vulnerability that only appears when a particularly obscure set of configuration options are used. I need "bar" with those particular options as part of a business- critical application - the vulnerability is critical to me and I need to know that I need to avoid the affected versions. It might be "obvious" that "foo" should be FORBIDDEN and "bar" shouldn't be but this is precisely the opposite behaviour to what I need. I can't see any way to automate this. Peter