From owner-freebsd-security@freebsd.org Mon Aug 22 09:25:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CD5ABC0D7B for ; Mon, 22 Aug 2016 09:25:00 +0000 (UTC) (envelope-from schmidt@ze.tum.de) Received: from mail.ze.tum.de (mail.ze.tum.de [IPv6:2001:4ca0:2e03::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.ze.tum.de", Issuer "Zertifizierungsstelle der TUM" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2EE9C1FE6 for ; Mon, 22 Aug 2016 09:25:00 +0000 (UTC) (envelope-from schmidt@ze.tum.de) Received: from etustar.ze.tum.de ([IPv6:2001:4ca0:2e03:0:0:0:1:180]) by mail.ze.tum.de (8.15.2/8.15.2) with ESMTPS id u7M9OuuG099598 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 22 Aug 2016 11:24:56 +0200 (CEST) (envelope-from schmidt@ze.tum.de) X-Authentication-Warning: hades.ze.tum.de: Host [IPv6:2001:4ca0:2e03:0:0:0:1:180] claimed to be etustar.ze.tum.de To: freebsd-security@freebsd.org From: Gerhard Schmidt Subject: Ports EOL vuxml entry Message-ID: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> Date: Mon, 22 Aug 2016 11:24:51 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SaWoUH4GHb0IQ0XSSDE3x4d2fER0KnVNd" X-Mailman-Approved-At: Mon, 22 Aug 2016 11:23:43 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2016 09:25:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SaWoUH4GHb0IQ0XSSDE3x4d2fER0KnVNd Content-Type: multipart/mixed; boundary="L6T2np12HcflSTa7cTIqE0NW7XNxe9IMQ" From: Gerhard Schmidt To: freebsd-security@freebsd.org Message-ID: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> Subject: Ports EOL vuxml entry --L6T2np12HcflSTa7cTIqE0NW7XNxe9IMQ Content-Type: multipart/mixed; boundary="------------75ECDDB58DA6C19B2F5BCC56" This is a multi-part message in MIME format. --------------75ECDDB58DA6C19B2F5BCC56 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, today there was a new entry added to the vuxml file including all outdated ports. Where is the value in this Entry. The Information is already in the fact that the port has been removed. In this file should only are real vulnerabilities and not maybe vulnerable not existing ports. Right now this breaks my system to find vulnerable ports on my systems because all systems with legacy code show up with this entry. Please only add real vulnerabilities to this file. Maybe pkg audit should be print a warning (suppressible by a commandline switch or a whiltelist in the config file) when discontinued ports are installed. Putting all well known discontinued ports in a vuxml entry isn't a clean way to do it and creates a falls impression of security because all the not so well known discontinued ports are not in this list and users might depend on this warning. Regards Estartu --=20 ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de Technische Universit=C3=A4t M=C3=BCnchen | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request --------------75ECDDB58DA6C19B2F5BCC56-- --L6T2np12HcflSTa7cTIqE0NW7XNxe9IMQ-- --SaWoUH4GHb0IQ0XSSDE3x4d2fER0KnVNd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIvBAEBCAAZBQJXusTjEhxzY2htaWR0QHplLnR1bS5kZQAKCRB00kPMRXANowxP EACVD6oHfeJVxrpLmM8HjDMYCdRV0yKVR16PeiSLTUb+OFc/ValcuQQjGq0GxcMn GrnpopvTJyswW5SB7D/euUWYHZXvt9GVryhAAGibnZzu5EUQWVzaf+VYg0N0929f KQdBGhHAHbYuaiQPqNuiBp/acyZ5Y8R75+GssoJViWBBe1u18YFe6RpM8hReq0lG hlLEBheavpS/3kcodDfiC9duRjybAaDL595NdlNRAImtrzL1HIf3Yy6SACY8/eL4 d9sv7qr3dKMQuR3Sk2Bl0PfaGnCT2qdPjpWWYfZ9ScnMEfljswvuO0eCetdo1uXV UgoRhw39G/apJVdu9B9OYVxvjrqZrSjA+ASuc5pXCccyWIDbedoBJax1GScLPq52 mKmCnWKx9NclSZyF45R42lnzWnh/oXjuko+48zy0b0sBF0+fs1pB8bvQV6+L5PS+ dEpAkWKc0PGObHMZ5S2A3I+G694TKbHfLX7mWwuK1WD9vuuC+enmlxoA2gDrSUeP aibIKHQ/vEyV9Bry7GY9QqMvedPw/WOfb+RwuyfGarCfnlVHHtvg706sDEV7I56n Z+gTXyeEbpGx/vvhOtXeUvlDmT7pkOqwiXgP3LtlmtLT8VmsZ4IWLBUyJm93IcNY SMUQlcQwTANEOA/4CB4CwVPJZLYykXarEKYwWKZp/Jmeug== =Mf28 -----END PGP SIGNATURE----- --SaWoUH4GHb0IQ0XSSDE3x4d2fER0KnVNd--