Re: pkg audit false negatives

That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that

Re: pkg audit false negatives

> On 14 Aug 2017, at 05:32, Roger Marquis wrote: > >> I do not think that holds: >> >> >> 17521php -- multiple vulnerabilities >> 17522 >> 17523 >> 17524php55 >> 175255.5.38 >> 17526 >> >>

Re: pkg audit false negatives

I do not think that holds: 17521 php -- multiple vulnerabilities 17522 17523 17524 php55 17525 5.5.38 17526 This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML

Re: pkg audit false negatives

> On 12 Aug 2017, at 02:37, Roger Marquis wrote: > > On Fri, 11 Aug 2017, Remko Lodder wrote: > >> If an entry is removed from the ports/pkg tree?s and it is also removed >> from VuXML, then yes, it will no longer get marked in your local >> installation. That?s a bit of a

Re: pkg audit false negatives

On Fri, 11 Aug 2017, Remko Lodder wrote: If an entry is removed from the ports/pkg tree?s and it is also removed from VuXML, then yes, it will no longer get marked in your local installation. That?s a bit of a chicken and egg basically. Although I do not recall that it ever happened that ports

Re: pkg audit false negatives

> On 11 Aug 2017, at 23:47, Roger Marquis wrote: > >> It had been resolved for dovecot (it will now match both variants, since >> people might still have >> the old variant of the port installed) and there is a new paragraph added to >> the porters handbook >> which tells

Re: pkg audit false negatives

It had been resolved for dovecot (it will now match both variants, since people might still have the old variant of the port installed) and there is a new paragraph added to the porters handbook which tells that we need to have a look at the vuxml entries. Thanks Remko. Hope this solves

Re: pkg audit false negatives

Hi Roger, > On 11 Aug 2017, at 17:14, Remko Lodder wrote: > > Hi Roger, > >> On 11 Aug 2017, at 04:41, Roger Marquis wrote: >> >> In the past pkg-audit and even pkg-version have not been reliable tools >> where installed ports or packages have been

Re: pkg audit false negatives

Hi Roger, > On 11 Aug 2017, at 04:41, Roger Marquis wrote: > > In the past pkg-audit and even pkg-version have not been reliable tools > where installed ports or packages have been subsequently discontinued or > renamed. Today, however, I notice that dovecot2 is still

pkg audit false negatives

In the past pkg-audit and even pkg-version have not been reliable tools where installed ports or packages have been subsequently discontinued or renamed. Today, however, I notice that dovecot2 is still showing up in the output of pkg-version despite the port having been renamed to dovecot

Re: pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable)

On Tue, Aug 16, 2016, at 11:41, Roger Marquis wrote: > > There's also an issue with older versions (perl 5.1*) no longer showing > up in the vuln.xml at all. I've seen perl, php and other critical > network components still in use because the site depended on 'pkg audit' > but did not know

pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable)

On 16 Aug 2016, JosC wrote: In the absence of running 'pkg audit -F', only the"LOCALBASE/periodic/security/410.pkg-audit script updates the vuxml file and audit results. Until that happens, or pkg audit -F is run, pkg will still see an older version. Thinking with you I now ask myself: - Would