Date: Sun, 26 Mar 2023 12:21:51 +0200 From: Tomek CEDRO <tomek@cedro.info> To: Hubert Tournier <hubert.tournier@gmail.com> Cc: freebsd-python@freebsd.org, freebsd-security <FreeBSD-security@freebsd.org> Subject: Re: 45 vulnerable ports unreported in VuXML Message-ID: <CAFYkXjnmxNh1EYRQHPYJbEAQegNoSERWGRE1HftyyiYwa3K6DA@mail.gmail.com> In-Reply-To: <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sun, Mar 26, 2023, 12:17 Hubert Tournier wrote: > Hello, > > While working on pipinfo <https://github.com/HubTou/pipinfo>, an > alternative Python packages management tool, I noticed that some Python > packages installed as FreeBSD ports where marked as vulnerable by the Python > Packaging Authority > <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>; > but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; ports > security database. > > So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to > check the 4.000+ FreeBSD ports for Python packages and found 45 of them > vulnerable and unreported > <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > > I started producing new VuXML entries > <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; > for these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > In order to verify if these vulnerable ports where also marked as > vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got > carried away writing a whole utility, vuxml > <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be > of general interest to some of you? > > Best regards, > > PS: this approach could be extended to Rust crates, Ruby gems and so on > with the vulnerabilities described in the OSV <https://osv.dev/>... > Sounds great and worth adding to the infra..? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info > [-- Attachment #2 --] <div dir="auto"><div><div data-smartmail="gmail_signature">On Sun, Mar 26, 2023, 12:17 Hubert Tournier wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div class="gmail_quote"><div dir="ltr"><div><br></div><div>While working on <a href="https://github.com/HubTou/pipinfo" target="_blank" rel="noreferrer">pipinfo</a>, an alternative Python packages management tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable by the <a href="https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities" target="_blank" rel="noreferrer">Python Packaging Authority</a> but not in <a href="https://www.vuxml.org/freebsd/index.html" rel="nofollow noreferrer" target="_blank">FreeBSD VuXML</a> ports security database. </div><p dir="auto">So I made a <a href="https://github.com/HubTou/pysec2vuxml" target="_blank" rel="noreferrer">pysec2vuxml</a> tool to check the 4.000+ FreeBSD ports for Python packages and found <a href="https://github.com/HubTou/pysec2vuxml/blob/main/results.txt" target="_blank" rel="noreferrer">45 of them vulnerable and unreported</a>.</p> <p>I started producing <a href="https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt" target="_blank" rel="noreferrer">new VuXML entries</a> for these vulnerable ports. <b>Please tell me if it's worth pursuing this effort?</b><br></p><p dir="auto">In order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, <a href="https://github.com/HubTou/vuxml" target="_blank" rel="noreferrer">vuxml</a>, to demonstrate its use. This could be of general interest to some of you?<br></p><p>Best regards,<br></p><p>PS: this approach could be extended to Rust crates, Ruby gems and so on with the vulnerabilities described in the <a href="https://osv.dev/" target="_blank" rel="noreferrer">OSV</a>...<br></p></div></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Sounds great and worth adding to the infra..? :-)</div><div dir="auto"><br></div><div dir="auto">--<br>CeDeROM, SQ7MHZ, <a href="http://www.tomek.cedro.info">http://www.tomek.cedro.info</a><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><p></p></div> </div></div> </blockquote></div></div></div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYkXjnmxNh1EYRQHPYJbEAQegNoSERWGRE1HftyyiYwa3K6DA>