Date: Fri, 26 Aug 2016 12:53:11 +0200 From: Gerhard Schmidt <estartu@ze.tum.de> To: Xin Li <delphij@delphij.net>, freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry Message-ID: <f382bf97-60f4-f2df-b1b5-30fec1fd24ac@ze.tum.de> In-Reply-To: <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net> References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de> <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 24.08.2016 um 11:36 schrieb Xin Li: > > > On 8/23/16 14:23, Gerhard Schmidt wrote: >> Is an outdated (EOL) port a vulnerability? I don't think so. It's a >> possible vulnerability, but not a real one. > > Do you have an exact VuXML ID? I don't think vuxml actually warns about > EoL'ed software, and it's likely that you have an actual issue, and > choose to ignore it (probably for legitimate reason). If it's just > reporting a software being outdated (rather than really vulnerable to > something), then we should change the entry, I doubt that this is not > the case, though. python24-2.4.6 is vulnerable: End of Life Ports WWW: https://vuxml.FreeBSD.org/freebsd/7fe7df75-6568-11e6-a590-14dae9d210b8.html I Lists a number of ports that are outdated. Not actual vulnerability mentioned. > It seems to be sensible to implement Tim's suggestion, however, that > allows the system administrator to explicitly override certain VuXML > IDs, if they really knows what they are doing. That would be really helpfull. Regards Gerhard Schmidt -- ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de Technische Universität München | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f382bf97-60f4-f2df-b1b5-30fec1fd24ac>