From owner-freebsd-security@freebsd.org Tue Aug 23 06:23:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F9C7BC3C8C for ; Tue, 23 Aug 2016 06:23:13 +0000 (UTC) (envelope-from estartu@ze.tum.de) Received: from mail.ze.tum.de (mail.ze.tum.de [IPv6:2001:4ca0:2e03::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.ze.tum.de", Issuer "Zertifizierungsstelle der TUM" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C785A120C for ; Tue, 23 Aug 2016 06:23:12 +0000 (UTC) (envelope-from estartu@ze.tum.de) Received: from etustar.ze.tum.de ([IPv6:2001:4ca0:2e03:0:0:0:1:180]) by mail.ze.tum.de (8.15.2/8.15.2) with ESMTPS id u7N6N82t077671 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 23 Aug 2016 08:23:08 +0200 (CEST) (envelope-from estartu@ze.tum.de) X-Authentication-Warning: hades.ze.tum.de: Host [IPv6:2001:4ca0:2e03:0:0:0:1:180] claimed to be etustar.ze.tum.de Subject: Re: Ports EOL vuxml entry To: Roger Marquis , freebsd-security@freebsd.org References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> From: Gerhard Schmidt Reply-To: schmidt@ze.tum.de Organization: =?UTF-8?Q?Technische_Universit=c3=a4t_M=c3=bcnchen_-_WWW_und_O?= =?UTF-8?Q?nline_Services?= Message-ID: Date: Tue, 23 Aug 2016 08:23:08 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 06:23:13 -0000 Am 22.08.2016 um 15:54 schrieb Roger Marquis: >> today there was a new entry added to the vuxml file including all >> outdated ports. Where is the value in this Entry. > > This is good news for many of us Gerhard, who depend on the output of > 'pkg audit' for vulnerability information. Is an outdated (EOL) port a vulnerability? I don't think so. It's a possible vulnerability, but not a real one. >> In this file should only are real vulnerabilities and not maybe >> vulnerable not existing ports. > > You raise two issues here, A) what constitutes a 'real' vulnerability > and B) how else would you be warned of probable vulnerabilities (due to > unmaintained and unaudited code). There is 'pkg version' of course but > few sites use this flag and fewer still use it for vulnerability > information. A real vulnerability is a bug in the software that allows a attacker to gain access to a system or a higher level of access on a system. Most code is really unaudited. Many of the recent security problem where in well maintained code. So saying that unaudited and unmaintained code is a vulnerability is wrong. It's a security risk. But the vuxml database is not about security risks. It's about actual and proven vulnerabilities. >> Right now this breaks my system to find vulnerable ports on my systems >> because all systems with legacy code show up with this entry. > > Can you post details of how it breaks your system? I'm monitoring my FreeBSD Servers (about 60 of them) with icinga an have a test that queries pkg audit if any of the installed packages are vulnerable. I have some servers that run legacy code that still needs python24. Every one of this machines reports right now that there is a vulnerable package installed and there is no way to tell pkg audit to stop reporting it. Sure i can filter python24 from the pkg audit output so it doesn't trigger the warning. But if a real vulnerability is reported for python24 i don't get it. I know that's a theoretical possibility, but still it reduces my systems reliability. >> Maybe pkg audit should be print a warning (suppressible by a commandline >> switch or a whiltelist in the config file) when discontinued ports are >> installed. > > A command line switch to ignore deprecated, discontinued and otherwise > unadited ports is an excellent idea though I don't think there will be > much demand for it. A default 'warn if deprecated' will no doubt be the > modal usage and benefit the larger community (who have until now been > mislead by the output of 'pkg audit'). As stated in the original mail. Outdated unmaintained ports should not be part of the vulnerability Database because they are no vulnerability. They are a different kind of Security risk and pkg audit should report them by default as that, but not as vulnerability. There should be a way to state that the sysadmin is aware of the outdated port and prevent pkg audit from reporting it over and over again. We could do that easily in the pkg.conf. A line like ignore_outdated=python24 would be sufficient. Regards Estartu -- ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de Technische Universität München | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request -- ------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de TU-München | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey auf Anfrage