From owner-freebsd-security@freebsd.org Sat Aug 12 07:57:48 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E073DC4AA3; Sat, 12 Aug 2017 07:57:48 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 435A67C5A4; Sat, 12 Aug 2017 07:57:48 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 682E14707BD; Sat, 12 Aug 2017 09:57:44 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id C32E320E86; Sat, 12 Aug 2017 09:57:43 +0200 (CEST) From: Remko Lodder Message-Id: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Sat, 12 Aug 2017 09:57:43 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 682E14707BD X-Spamd-Result: default: False [3.58 / 15.00] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] IP_SCORE(0.49)[ip: (0.25), ipnet: 80.56.0.0/16(0.34), asn: 6830(2.17), country: AT(-0.30)] HAS_ATTACHMENT(0.00)[] DMARC_NA(0.00)[FreeBSD.org] FROM_HAS_DN(0.00)[] BAYES_HAM(-1.31)[90.15%] MV_CASE(0.50)[] RCPT_COUNT_THREE(0.00)[3] R_SPF_SOFTFAIL(0.00)[~all] MID_RHS_MATCH_FROM(0.00)[] TO_DN_SOME(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] ONCE_RECEIVED(0.10)[] RCVD_TLS_ALL(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCVD_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 07:57:48 -0000 --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 12 Aug 2017, at 02:37, Roger Marquis wrote: > > On Fri, 11 Aug 2017, Remko Lodder wrote: > >> If an entry is removed from the ports/pkg tree?s and it is also removed >> from VuXML, then yes, it will no longer get marked in your local >> installation. That?s a bit of a chicken and egg basically. Although I do >> not recall that it ever happened that ports that are no longer there, are >> removed from VuXML as well. (And I follow that since 2004). >> Do you have a more concrete example that we can dive into to see what is >> going on/going wrong? > > Should be able to find missing vulxml entries for most anything that has > been deprecated from the ports tree but most of the ones I've seen are > for web programming languages, particularly php. I do not think that holds: 17521 php -- multiple vulnerabilities 17522 17523 17524 php55 17525 5.5.38 17526 This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML at least. Can you show such a packet from your local installation(s) and present a ``pkg audit -F`` along side it. I would also like to see a detailed pkg info from the affected pkg. Thanks a lot in advance, Remko > > For example when php5X was dropped it also disappeared from vulxml, with > no small number of servers still using it. If those sites depended on > pkg-audit to tell them they had a vulnerability, well, they were out of > luck. There was no warning, no error, no disclaimer, pkg-audit did and > still does nothing different than it would for a non-vulnerable port or > package. > > There may be more vulnerabilities in the wild from non-packaged base as > it is larger but at least people are working on that. Pkg-audit > tracking of installed but deprecated ports OTOH, seems to have fallen > through the cracks. Even the FreeBSD Foundation and the ports-security > teams appear to be ignoring this issue. > > Roger Marquis --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjrT4AAoJEHE1jtY/d0B5OFYP/R3Zlv0rIzluQXnqbcA/L5wI aHZqFA0aeDOKjNv7RwwzuU/nltJteo775++svkVsEKvtiCBOaQ9M0fGOWWHiQETc XpgD/3QeNgh94eMhPxZnJ+kcnRE915EDpSbiYkbxbMvi2+yvdM0qvxIzZtVJqgoo Enb7LtoLLxFxMp0CZdYs5YnVqMGVFn6Ce66VqtT7e1jOUvHQFk5UeJOxxPwE4tBL kwsP2cl5swTBfjbkQx6wh8JnWIHxM/htnB1556u79QzXPUAa+Bn0bgviz30N10oV IycI7Mu1uTRbD+o4GuXPbjpYG/7+/nwD9kv8yYOotdkCIYvPfyVcVJXlxy8Leo4T erq9cnk2aHaL0TjjFmXHyzFhkufcIph009AxhSZ6SffavOGcK24DpdjuKG72HcUj 0QKGcDmXgp/Qyv50SUeQ+2VyoFRIAgnj8ev2lnxOthZ7fSwJr8Cs4lGvFEnHBsmV hLVYMiS2CdUMMJhNd1PgOoQ2lThk72Du0x6Suq2GTTcbojebIJWincNhTBFlZMl2 VVZDUDLFJDtZPdtAjrjHSIBjibgrNS0RD3uqmW/7xfQ7YKpUhoJQw+gWJvnmxmaz 1F8g3DbVKz1ndiicYxW4E4BSM1IliZ/T5xbSRxFskbNwWvfUj71zl3SPphFw6kP8 uyyHjfgfS7YqMaax7KFy =SYla -----END PGP SIGNATURE----- --Apple-Mail=_1BF0E537-26DA-423B-BF15-15AC7FE0F0CE--