Gerhard Schmidt <schm...@ze.tum.de> wrote: > Is an outdated (EOL) port a vulnerability? I don't think so. It's a > possible vulnerability, but not a real one.
An EOL product is typically no longer tracked, analyzed, and corrected for security vulnerabilities. With this higher risk profile, it is correct to assume it is vulnerable or at least a higher security risk. Since a clean report from pkg audit with EOL packages on the system will mislead the vast majority of end-users that they have a lower risk security profile. It is correct for pkg audit to warn on EOL packages. Especially since any actual vulnerabilities, that is almost certain to come up, will likely never show on a future report. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
