cvs commit: ports/multimedia/xine Makefile
Peter Jeremy
peterjeremy at optushome.com.au
Mon Mar 29 23:37:18 PST 2004
On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote:
>I guess we have to add a severity tag then, to enable `soft'
>vulnerabilities. I have an automated script that barks on unmarked
>vulnerabilities, and it can't decide which vulnerability is
>`important'.
Let me offer two (admittedly hypothetical) examples as to why this
can't work:
1) port "foo" has a severe IPv6 vulnerability: It includes a network
daemon process which has a bug allowing an attacker to execute
arbitrary commands as root by sending IPv6 packets. There's no
vulnerability for IPv4. Despite the seriousness of this bug, it
doesn't affect me because I don't run IPv6 - it's not even compiled
into my kernel.
2) port "bar" has an apparently trivial vulnerability that only appears
when a particularly obscure set of configuration options are used.
I need "bar" with those particular options as part of a business-
critical application - the vulnerability is critical to me and I
need to know that I need to avoid the affected versions.
It might be "obvious" that "foo" should be FORBIDDEN and "bar" shouldn't
be but this is precisely the opposite behaviour to what I need.
I can't see any way to automate this.
Peter
More information about the cvs-ports
mailing list