pkg audit false negatives
Remko Lodder
remko at FreeBSD.org
Mon Aug 14 08:56:29 UTC 2017
> On 14 Aug 2017, at 05:32, Roger Marquis <marquis at roble.com> wrote:
>
>> I do not think that holds:
>>
>> <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
>> 17521 <topic>php -- multiple vulnerabilities</topic>
>> 17522 <affects>
>> 17523 <package>
>> 17524 <name>php55</name>
>> 17525 <range><lt>5.5.38</lt></range>
>> 17526 </package>
>>
>> This is an entry from svnweb, for php55, which was added in 2016(07-26).
>>
>> So this entry is there. Thus it did not disappear from VuXML at least.
>
> You are right Remko. It looks like there was a policy or at least a
> practice change about a year ago. Even have an archived email from
> Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not
> doing sufficient fact rechecking,
>
> So we are safe from false negatives after all. Hurray, I can stop
> relying on pkg-version (for this).
>
> That leaves just unpackaged base as FreeBSD's remaining audit weakness.
Hi, I am happy that I can reduce your worry factor a bit ;-)
Can you share what the audit weakness is? freebsd-update cron checks
whether or not an update is available and then emails you. If you run
-RELEASE, then that means that either an EN or SA had been released..
Cheers
Remko
>
> Roger
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20170814/8aa415fa/attachment.sig>
More information about the freebsd-pkg
mailing list