Ports EOL vuxml entry
Weldon Godfrey
weldon at excelsusphoto.com
Tue Aug 23 13:15:31 UTC 2016
Gerhard Schmidt <schmidt at ze.tum.de> wrote:
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.
An EOL product is typically no longer tracked, analyzed, and corrected
for security vulnerabilities. With this higher risk profile, it is
correct to assume it is vulnerable or at least a higher security risk.
Since a clean report from pkg audit with EOL packages on the system will
mislead the vast majority of end-users that they have a lower risk
security profile. It is correct for pkg audit to warn on EOL packages.
Especially since any actual vulnerabilities, that is almost certain to
come up, will likely never show on a future report.
More information about the freebsd-security
mailing list