From owner-freebsd-security@freebsd.org Fri Aug 26 10:53:26 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0EB08A94FF7 for ; Fri, 26 Aug 2016 10:53:26 +0000 (UTC) (envelope-from estartu@ze.tum.de) Received: from mail.ze.tum.de (mail.ze.tum.de [IPv6:2001:4ca0:2e03::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.ze.tum.de", Issuer "Zertifizierungsstelle der TUM" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A57087C9 for ; Fri, 26 Aug 2016 10:53:25 +0000 (UTC) (envelope-from estartu@ze.tum.de) Received: from etustar.ze.tum.de ([IPv6:2001:4ca0:2e03:0:0:0:1:180]) by mail.ze.tum.de (8.15.2/8.15.2) with ESMTPS id u7QArB9i033463 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Aug 2016 12:53:12 +0200 (CEST) (envelope-from estartu@ze.tum.de) X-Authentication-Warning: hades.ze.tum.de: Host [IPv6:2001:4ca0:2e03:0:0:0:1:180] claimed to be etustar.ze.tum.de Subject: Re: Ports EOL vuxml entry To: Xin Li , freebsd-security@freebsd.org References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net> Reply-To: schmidt@ze.tum.de From: Gerhard Schmidt Organization: =?UTF-8?Q?Technische_Universit=c3=a4t_M=c3=bcnchen_-_WWW_und_O?= =?UTF-8?Q?nline_Services?= Message-ID: Date: Fri, 26 Aug 2016 12:53:11 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 10:53:26 -0000 Am 24.08.2016 um 11:36 schrieb Xin Li: > > > On 8/23/16 14:23, Gerhard Schmidt wrote: >> Is an outdated (EOL) port a vulnerability? I don't think so. It's a >> possible vulnerability, but not a real one. > > Do you have an exact VuXML ID? I don't think vuxml actually warns about > EoL'ed software, and it's likely that you have an actual issue, and > choose to ignore it (probably for legitimate reason). If it's just > reporting a software being outdated (rather than really vulnerable to > something), then we should change the entry, I doubt that this is not > the case, though. python24-2.4.6 is vulnerable: End of Life Ports WWW: https://vuxml.FreeBSD.org/freebsd/7fe7df75-6568-11e6-a590-14dae9d210b8.html I Lists a number of ports that are outdated. Not actual vulnerability mentioned. > It seems to be sensible to implement Tim's suggestion, however, that > allows the system administrator to explicitly override certain VuXML > IDs, if they really knows what they are doing. That would be really helpfull. Regards Gerhard Schmidt -- ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de Technische Universität München | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request