> On 12 Aug 2017, at 02:37, Roger Marquis <marq...@roble.com> wrote:
> On Fri, 11 Aug 2017, Remko Lodder wrote:
>> If an entry is removed from the ports/pkg tree?s and it is also removed
>> from VuXML, then yes, it will no longer get marked in your local
>> installation. That?s a bit of a chicken and egg basically. Although I do
>> not recall that it ever happened that ports that are no longer there, are
>> removed from VuXML as well. (And I follow that since 2004).
>> Do you have a more concrete example that we can dive into to see what is
>> going on/going wrong?
> Should be able to find missing vulxml entries for most anything that has
> been deprecated from the ports tree but most of the ones I've seen are
> for web programming languages, particularly php.

I do not think that holds:

<vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
17521       <topic>php -- multiple vulnerabilities</topic>
17522       <affects>
17523         <package>
17524           <name>php55</name>
17525           <range><lt>5.5.38</lt></range>
17526         </package>

This is an entry from svnweb, for php55, which was added in 2016(07-26).

So this entry is there. Thus it did not disappear from VuXML at least.

Can you show such a packet from your local installation(s) and present a
``pkg audit -F`` along side it. I would also like to see a detailed pkg info
from the affected pkg.

Thanks a lot in advance,

> For example when php5X was dropped it also disappeared from vulxml, with
> no small number of servers still using it.  If those sites depended on
> pkg-audit to tell them they had a vulnerability, well, they were out of
> luck.  There was no warning, no error, no disclaimer, pkg-audit did and
> still does nothing different than it would for a non-vulnerable port or
> package.
> There may be more vulnerabilities in the wild from non-packaged base as
> it is larger but at least people are working on that.  Pkg-audit
> tracking of installed but deprecated ports OTOH, seems to have fallen
> through the cracks.  Even the FreeBSD Foundation and the ports-security
> teams appear to be ignoring this issue.
> Roger Marquis

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to