Ports EOL vuxml entry
Roger Marquis
marquis at roble.com
Tue Aug 23 15:50:51 UTC 2016
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.
Exactly. The meta-discussion we're having is regarding the word 'audit'
(in 'pkg audit'). When you or I audit a server or a site the client
always wants to know about potential vulnerabilities as well as known
ones. This is because the deliverable is a measure of risk, not just
proven risks but also potential risks. Even the commercial scanning
tools (Tripwire, Qualis ...) report on potential vulnerabilities as well
as those documented in CVEs.
> I have some servers that run legacy code that still needs
> python24. Every one of this machines reports right now that there is a
> vulnerable package installed and there is no way to tell pkg audit to
> stop reporting it.
If my reading of
<www.cvedetails.com/vulnerability-list/vendor_id-1238/Python-Software-Foundation.html>
is correct python24 has documented vulnerabilities. This is expected of
deprecated software and the reason many of us want to know which
installed packages are deprecated when we run 'pkg audit'.
> Sure i can filter python24 from the pkg audit output so it doesn't trigger
> the warning.
Why not just 'grep vulnerable' if that's your goal, or 'grep -v
deprecated' (or use a pkg flag to that effect if and when one becomes
available)?
> They are a different kind of Security risk and pkg audit should report
> them by default as that, but not as vulnerability.
But it's not reporting them as vulnerable, it is reporting them as
deprecated or unmaintained.
> There should be a way to state that the sysadmin is aware of the
> outdated port and prevent pkg audit from reporting it
Agreed though I expect such a report would see little use.
Roger
More information about the freebsd-security
mailing list