> On 12 Aug 2017, at 02:37, Roger Marquis <marq...@roble.com> wrote: > > On Fri, 11 Aug 2017, Remko Lodder wrote: > >> If an entry is removed from the ports/pkg tree?s and it is also removed >> from VuXML, then yes, it will no longer get marked in your local >> installation. That?s a bit of a chicken and egg basically. Although I do >> not recall that it ever happened that ports that are no longer there, are >> removed from VuXML as well. (And I follow that since 2004). >> Do you have a more concrete example that we can dive into to see what is >> going on/going wrong? > > Should be able to find missing vulxml entries for most anything that has > been deprecated from the ports tree but most of the ones I've seen are > for web programming languages, particularly php.
I do not think that holds: <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> 17521 <topic>php -- multiple vulnerabilities</topic> 17522 <affects> 17523 <package> 17524 <name>php55</name> 17525 <range><lt>5.5.38</lt></range> 17526 </package> This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML at least. Can you show such a packet from your local installation(s) and present a ``pkg audit -F`` along side it. I would also like to see a detailed pkg info from the affected pkg. Thanks a lot in advance, Remko > > For example when php5X was dropped it also disappeared from vulxml, with > no small number of servers still using it. If those sites depended on > pkg-audit to tell them they had a vulnerability, well, they were out of > luck. There was no warning, no error, no disclaimer, pkg-audit did and > still does nothing different than it would for a non-vulnerable port or > package. > > There may be more vulnerabilities in the wild from non-packaged base as > it is larger but at least people are working on that. Pkg-audit > tracking of installed but deprecated ports OTOH, seems to have fallen > through the cracks. Even the FreeBSD Foundation and the ports-security > teams appear to be ignoring this issue. > > Roger Marquis
Description: Message signed with OpenPGP