Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Aug 2016 08:50:44 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        schmidt@ze.tum.de
Cc:        freebsd-security@freebsd.org
Subject:   Re: Ports EOL vuxml entry
In-Reply-To: <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de>
References:  <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de>

| previous in thread | raw e-mail | index | archive | help
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.

Exactly.  The meta-discussion we're having is regarding the word 'audit'
(in 'pkg audit').  When you or I audit a server or a site the client
always wants to know about potential vulnerabilities as well as known
ones.  This is because the deliverable is a measure of risk, not just
proven risks but also potential risks.  Even the commercial scanning
tools (Tripwire, Qualis ...) report on potential vulnerabilities as well
as those documented in CVEs.

> I have some servers that run legacy code that still needs
> python24. Every one of this machines reports right now that there is a
> vulnerable package installed and there is no way to tell pkg audit to
> stop reporting it.

If my reading of
<www.cvedetails.com/vulnerability-list/vendor_id-1238/Python-Software-Foundation.html>
is correct python24 has documented vulnerabilities.  This is expected of
deprecated software and the reason many of us want to know which
installed packages are deprecated when we run 'pkg audit'.

> Sure i can filter python24 from the pkg audit output so it doesn't trigger
> the warning.

Why not just 'grep vulnerable' if that's your goal, or 'grep -v
deprecated' (or use a pkg flag to that effect if and when one becomes
available)?

> They are a different kind of Security risk and pkg audit should report
> them by default as that, but not as vulnerability.

But it's not reporting them as vulnerable, it is reporting them as
deprecated or unmaintained.

> There should be a way to state that the sysadmin is aware of the
> outdated port and prevent pkg audit from reporting it

Agreed though I expect such a report would see little use.

Roger



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>