pkg audit false negatives
Roger Marquis
marquis at roble.com
Mon Aug 14 03:32:33 UTC 2017
> I do not think that holds:
>
> <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
> 17521 <topic>php -- multiple vulnerabilities</topic>
> 17522 <affects>
> 17523 <package>
> 17524 <name>php55</name>
> 17525 <range><lt>5.5.38</lt></range>
> 17526 </package>
>
> This is an entry from svnweb, for php55, which was added in 2016(07-26).
>
> So this entry is there. Thus it did not disappear from VuXML at least.
You are right Remko. It looks like there was a policy or at least a
practice change about a year ago. Even have an archived email from
Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not
doing sufficient fact rechecking,
So we are safe from false negatives after all. Hurray, I can stop
relying on pkg-version (for this).
That leaves just unpackaged base as FreeBSD's remaining audit weakness.
Roger
More information about the freebsd-pkg
mailing list