From owner-freebsd-security@freebsd.org  Tue Aug 23 15:50:51 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6271BBC2017
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 23 Aug 2016 15:50:51 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 475FB17D0
 for <freebsd-security@freebsd.org>; Tue, 23 Aug 2016 15:50:50 +0000 (UTC)
 (envelope-from marquis@roble.com)
Date: Tue, 23 Aug 2016 08:50:44 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: schmidt@ze.tum.de
cc: freebsd-security@freebsd.org
Subject: Re: Ports EOL vuxml entry
In-Reply-To: <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de>
References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de>
 <3sHwFX4YYpz1y2W@mailrelay2.lrz.de>
 <a0a8f797-859e-23f7-7606-72a7dc50acb0@ze.tum.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 15:50:51 -0000

> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.

Exactly.  The meta-discussion we're having is regarding the word 'audit'
(in 'pkg audit').  When you or I audit a server or a site the client
always wants to know about potential vulnerabilities as well as known
ones.  This is because the deliverable is a measure of risk, not just
proven risks but also potential risks.  Even the commercial scanning
tools (Tripwire, Qualis ...) report on potential vulnerabilities as well
as those documented in CVEs.

> I have some servers that run legacy code that still needs
> python24. Every one of this machines reports right now that there is a
> vulnerable package installed and there is no way to tell pkg audit to
> stop reporting it.

If my reading of
<www.cvedetails.com/vulnerability-list/vendor_id-1238/Python-Software-Foundation.html>
is correct python24 has documented vulnerabilities.  This is expected of
deprecated software and the reason many of us want to know which
installed packages are deprecated when we run 'pkg audit'.

> Sure i can filter python24 from the pkg audit output so it doesn't trigger
> the warning.

Why not just 'grep vulnerable' if that's your goal, or 'grep -v
deprecated' (or use a pkg flag to that effect if and when one becomes
available)?

> They are a different kind of Security risk and pkg audit should report
> them by default as that, but not as vulnerability.

But it's not reporting them as vulnerable, it is reporting them as
deprecated or unmaintained.

> There should be a way to state that the sysadmin is aware of the
> outdated port and prevent pkg audit from reporting it

Agreed though I expect such a report would see little use.

Roger