Date: Tue, 30 Mar 2004 17:36:52 +1000 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: ports-committers@freebsd.org Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <20040330073652.GB74220@server.vk2pj.dyndns.org> In-Reply-To: <40686785.7020002@fillmore-labs.com> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote: >I guess we have to add a severity tag then, to enable `soft' >vulnerabilities. I have an automated script that barks on unmarked >vulnerabilities, and it can't decide which vulnerability is >`important'. Let me offer two (admittedly hypothetical) examples as to why this can't work: 1) port "foo" has a severe IPv6 vulnerability: It includes a network daemon process which has a bug allowing an attacker to execute arbitrary commands as root by sending IPv6 packets. There's no vulnerability for IPv4. Despite the seriousness of this bug, it doesn't affect me because I don't run IPv6 - it's not even compiled into my kernel. 2) port "bar" has an apparently trivial vulnerability that only appears when a particularly obscure set of configuration options are used. I need "bar" with those particular options as part of a business- critical application - the vulnerability is critical to me and I need to know that I need to avoid the affected versions. It might be "obvious" that "foo" should be FORBIDDEN and "bar" shouldn't be but this is precisely the opposite behaviour to what I need. I can't see any way to automate this. Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040330073652.GB74220>