From owner-freebsd-security@freebsd.org Wed Aug 24 09:36:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C73AEBC19CF for ; Wed, 24 Aug 2016 09:36:31 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7EA01E39 for ; Wed, 24 Aug 2016 09:36:31 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from Xins-MacBook-Pro.local (c-73-189-16-150.hsd1.ca.comcast.net [73.189.16.150]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id DBCD61C10B; Wed, 24 Aug 2016 02:36:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1472031385; x=1472045785; bh=nZ9PPQdhUhMaC1wo1uf8xsteHKYSww004/m5vgMku8M=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=kguU8Nl/zPHNASp7pEJoi+h5x2Bdek5/W113jWofu/c5CliWKIscc5MLSHxJiHtmn hIPg0x9ve7YyhUhGdb9bU2npvYbtblQicdmsnigq6EqgsFvp+lH3P5JLabDQOR8G9z X2qCdKmXBkPI5tHKzmPgvL9g2NFv+YqHlRuLj2dA= Subject: Re: Ports EOL vuxml entry To: freebsd-security@freebsd.org References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> Cc: d@delphij.net, zingelman@fnal.gov From: Xin Li Message-ID: <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net> Date: Wed, 24 Aug 2016 17:36:18 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="58FNbKvqceSHhuI4rV23PxoD7vSvL5Vpc" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 09:36:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --58FNbKvqceSHhuI4rV23PxoD7vSvL5Vpc Content-Type: multipart/mixed; boundary="ufnHtAV9TL9WqoVXsofCnme23qhgfKOhd" From: Xin Li To: freebsd-security@freebsd.org Cc: d@delphij.net, zingelman@fnal.gov Message-ID: <0a6f9f6a-349a-0d03-69f8-97ad7c4d96b2@delphij.net> Subject: Re: Ports EOL vuxml entry References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> <3sHwFX4YYpz1y2W@mailrelay2.lrz.de> In-Reply-To: --ufnHtAV9TL9WqoVXsofCnme23qhgfKOhd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 8/23/16 14:23, Gerhard Schmidt wrote: > Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one. Do you have an exact VuXML ID? I don't think vuxml actually warns about EoL'ed software, and it's likely that you have an actual issue, and choose to ignore it (probably for legitimate reason). If it's just reporting a software being outdated (rather than really vulnerable to something), then we should change the entry, I doubt that this is not the case, though. It seems to be sensible to implement Tim's suggestion, however, that allows the system administrator to explicitly override certain VuXML IDs, if they really knows what they are doing. Cheers, --ufnHtAV9TL9WqoVXsofCnme23qhgfKOhd-- --58FNbKvqceSHhuI4rV23PxoD7vSvL5Vpc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXvWqVAAoJEJW2GBstM+nsu5oP/0vtzgQfX3g6eszFDEVmlvsI 0IykBfTh9DH/47qOxdexI55fbpNe8E40Zn+2xV58l9c7k9qfxIHTApqXqg9YnH9E gBNenJ4oK9pqW69evzfpjc4l1Fe86WrAh43NAjwMKgQQbI5TKy5IufRP2+YNepH9 CWAXhOXRHarB5jE6UsM3gMuI69J8hAAN01PYkZVe9Bil0yMWAWuyPjansHuhkww0 hTjiz6cUaWuwi0ZDODAzT50AKcA+2RgoxLPLnDgT6M1UqFGbM2wXc8RAN2KjtTwZ 2Wr4tboumKj6LufczLBDGbbnCGc+Ym3g4napm5az/UOj5slVrQ+U06ju1zvtPR6B UuQcrnzPeyeetwlNHvd3rpsjREb09wq5L3CF+YbSujqwxlelrYusDxF2zaocMJB8 GXGMjTfclgdbZGtNBNyXxogiH6ia0JZgv+0CHMVV+C8ZwW+2hvfXtHIxEr4obOfC nXp5TLoH3PzMatPzAMcFiyhvQlkILYsl1Poj0Kh5VUKdppTBb+HzbKJa/RzIN5WX 73LoFNce8x5ldjNOVTp0TRRLmqszCI0/erxyOPW6m+lhPrqa2wmMoQw/hsW9miRD iBpaAOUT40jDt++TgTBkxFYwlGoG7WXTQd7qsyk6srxljtUCRRHjB4TvrSJ2iGwA corhRG/VjkxjdrxzHYrV =S9i1 -----END PGP SIGNATURE----- --58FNbKvqceSHhuI4rV23PxoD7vSvL5Vpc--