pkg audit false negatives
Remko Lodder
remko at FreeBSD.org
Sat Aug 12 07:57:48 UTC 2017
> On 12 Aug 2017, at 02:37, Roger Marquis <marquis at roble.com> wrote:
>
> On Fri, 11 Aug 2017, Remko Lodder wrote:
>
>> If an entry is removed from the ports/pkg tree?s and it is also removed
>> from VuXML, then yes, it will no longer get marked in your local
>> installation. That?s a bit of a chicken and egg basically. Although I do
>> not recall that it ever happened that ports that are no longer there, are
>> removed from VuXML as well. (And I follow that since 2004).
>> Do you have a more concrete example that we can dive into to see what is
>> going on/going wrong?
>
> Should be able to find missing vulxml entries for most anything that has
> been deprecated from the ports tree but most of the ones I've seen are
> for web programming languages, particularly php.
I do not think that holds:
<vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
17521 <topic>php -- multiple vulnerabilities</topic>
17522 <affects>
17523 <package>
17524 <name>php55</name>
17525 <range><lt>5.5.38</lt></range>
17526 </package>
This is an entry from svnweb, for php55, which was added in 2016(07-26).
So this entry is there. Thus it did not disappear from VuXML at least.
Can you show such a packet from your local installation(s) and present a
``pkg audit -F`` along side it. I would also like to see a detailed pkg info
from the affected pkg.
Thanks a lot in advance,
Remko
>
> For example when php5X was dropped it also disappeared from vulxml, with
> no small number of servers still using it. If those sites depended on
> pkg-audit to tell them they had a vulnerability, well, they were out of
> luck. There was no warning, no error, no disclaimer, pkg-audit did and
> still does nothing different than it would for a non-vulnerable port or
> package.
>
> There may be more vulnerabilities in the wild from non-packaged base as
> it is larger but at least people are working on that. Pkg-audit
> tracking of installed but deprecated ports OTOH, seems to have fallen
> through the cracks. Even the FreeBSD Foundation and the ports-security
> teams appear to be ignoring this issue.
>
> Roger Marquis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170812/5ae0e7ce/attachment.sig>
More information about the freebsd-security
mailing list