using pkg audit to show base vulnerabilities
Mark Felder
feld at FreeBSD.org
Thu Sep 8 00:21:27 UTC 2016
On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote:
>
> Just a thought, once we move to PkgBase, will this simply work work "pkg
> audit"?
>
Yes, that's the plan as I know it.
> Are the new vuxml entries in the correct format to detect for individual
> base packages?
> E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development
>
The current format is irrelevant as the vulnerabilities will not apply
to a FreeBSD release that has pkg base. This is just a stopgap that has
been hacked up. I also do not know what the base package names will be
yet as I haven't played around with it, but we will be ensuring that
vuxml entries are correctly added once pkg base is finalized. It will be
possible to add entries that match for both older FreeBSD releases and
new pkg base releases.
> Are the new vuxml entries in a format that would support PkgBase for
> releases as well as for stable/current?
> E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939
>
I don't know if it will be possible to match for stable/current users.
Depends on the versioning scheme.
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-security
mailing list