From owner-freebsd-security@FreeBSD.ORG Wed Mar 20 17:22:51 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A34B3E39 for ; Wed, 20 Mar 2013 17:22:51 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) by mx1.freebsd.org (Postfix) with ESMTP id 43B0074C for ; Wed, 20 Mar 2013 17:22:51 +0000 (UTC) Received: by mail-ob0-f178.google.com with SMTP id wd20so1885228obb.37 for ; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=lS5C1b05n8pY7UvgSH8zmAcPUgCS+uDVC1sBlTUxBqQ=; b=G4mnZgC449ZJob59LETB8DVb4QYnPf+xATngsDBBD3ebv71TsJ+gWmhWamw/qVUkUC //8K0C9wTvhxz0W3SU+fWo0UAlPhvzrR0e5fGMb2Dl1Tag9iZRZERqn4cHDKgoAcpaFI qbOnSFAr10ZprkGJT7OmqUKmmAcWZ6IXrfoCs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=lS5C1b05n8pY7UvgSH8zmAcPUgCS+uDVC1sBlTUxBqQ=; b=ECx4m0DkhrVzvMBn8KQxk2GEaH6hUzTFFtVqTOPLnKtGz8HBNpWdGqLqr0QMFdw4bJ 7KIfOfNSVCdwC7BmeNr0UN8C/XC7zpo8o/xRGgFaKHnhfoR8FySDc5Vf1kOEduRJwDUF qi0LQ2WsTevU2dTelVLFLXghlfrOtoitJkmWvNPWzQnGf5KludW/SqT9JDJLOh7fqM1q 4eI/CxFy5ELDiWsQOCIEGrG8L0OrorhXzz8gDCoGhEn/rGE7Hq+Pne3VLo7C7ac7Oq8H gkbigvOLhHNF6tLMNhHZro21dXWt+Vm+yi14F9xvmPaN/Z3GoSg7HK4WkMyh49zzB5JB jSDg== MIME-Version: 1.0 X-Received: by 10.60.37.229 with SMTP id b5mr4832300oek.21.1363800170820; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) Received: by 10.76.168.129 with HTTP; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) X-Originating-IP: [2620:0:1040:204:3939:5af7:1315:a5] Date: Wed, 20 Mar 2013 17:22:50 +0000 Message-ID: Subject: Re: CPE [was old perl vulnerabilitiy] From: "Simon L. B. Nielsen" To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkmjNk/T5Q2nUbGhtwGottAC2O2H1k0OKkT+ELu+8BNEWIKJidTyIzESjh8CfaeDZMsyam3 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 17:22:51 -0000 On 18 March 2013 16:01, Dag-Erling Sm=C3=B8rgrav wrote: > Ryan Steinmetz writes: >> It does have the same issue. I've corrected the VuXML entry and you >> should see updated portaudit results within 30 minutes. Your 5.8.9 >> perl-threaded installation should also show up as vulnerable to the same >> issue. > > This wouldn't keep happening if we used CPEs whenever possible... Where would you use CPE - in all packages ? I assume you are talking about http://cpe.mitre.org/about/ ? Part of the problem for VuXML is the trilion names for packages some ports have, making it more painful. In the past we also had a number of the tools which let one simpler grep for package names, but those require infrastructure which doesn't exist anymore. --=20 Simon L. B. Nielsen