Is an outdated (EOL) port a vulnerability? I don't think so. It's a possible vulnerability, but not a real one.
Exactly. The meta-discussion we're having is regarding the word 'audit' (in 'pkg audit'). When you or I audit a server or a site the client always wants to know about potential vulnerabilities as well as known ones. This is because the deliverable is a measure of risk, not just proven risks but also potential risks. Even the commercial scanning tools (Tripwire, Qualis ...) report on potential vulnerabilities as well as those documented in CVEs.
I have some servers that run legacy code that still needs python24. Every one of this machines reports right now that there is a vulnerable package installed and there is no way to tell pkg audit to stop reporting it.
If my reading of <www.cvedetails.com/vulnerability-list/vendor_id-1238/Python-Software-Foundation.html> is correct python24 has documented vulnerabilities. This is expected of deprecated software and the reason many of us want to know which installed packages are deprecated when we run 'pkg audit'.
Sure i can filter python24 from the pkg audit output so it doesn't trigger the warning.
Why not just 'grep vulnerable' if that's your goal, or 'grep -v deprecated' (or use a pkg flag to that effect if and when one becomes available)?
They are a different kind of Security risk and pkg audit should report them by default as that, but not as vulnerability.
But it's not reporting them as vulnerable, it is reporting them as deprecated or unmaintained.
There should be a way to state that the sysadmin is aware of the outdated port and prevent pkg audit from reporting it
Agreed though I expect such a report would see little use. Roger _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
