Keeping VuXML DB updated

[Kurt Jaeger]

Hi!

> Due to a vulnerability issue earlier with a port, I received some kind 
> emails of using the command below to update the VuXML DB (which is not a 
> part of the ports tree).
> 
> I did so on my server and got the following output:
> 
> --- cut ---
> 
>  > pkg audit -F
> vulnxml file up-to-date
> tiff-4.0.7_1 is vulnerable:
> tiff -- multiple vulnerabilities
> CVE: CVE-2017-7602
[...]

> What is the next procedure to follow; should I inform the port 
> maintainer of the reported port

portmgr knows about this, but there's no solution right now.

> ((ports are a user group effort) ) or 
> should I update this port with "DISABLE_VULNERABILITIES=yes" ?

There are ports that depend on tiff, and maybe you are using one
of them. If you do not need those other ports, remove tiff.

Otherwise: this (DISABLE_VULNERABILITIES) is, while not perfect,
the next step.

-- 
pi at opsec.eu            +49 171 3101372                         3 years to go !