Date: Sun, 13 Aug 2017 20:32:25 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Remko Lodder <remko@FreeBSD.org> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <nycvar.OFS.7.76.1708132022470.4437@eboyr.pbz> In-Reply-To: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz> <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I do not think that holds: > > <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> > 17521 <topic>php -- multiple vulnerabilities</topic> > 17522 <affects> > 17523 <package> > 17524 <name>php55</name> > 17525 <range><lt>5.5.38</lt></range> > 17526 </package> > > This is an entry from svnweb, for php55, which was added in 2016(07-26). > > So this entry is there. Thus it did not disappear from VuXML at least. You are right Remko. It looks like there was a policy or at least a practice change about a year ago. Even have an archived email from Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not doing sufficient fact rechecking, So we are safe from false negatives after all. Hurray, I can stop relying on pkg-version (for this). That leaves just unpackaged base as FreeBSD's remaining audit weakness. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1708132022470.4437>