Aloha,
Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
packages?
Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.
I agree, pkg-audit needs to be taught to do that. Along those lines, we
could create a port for cvechecker:
h
Am 10.10.17 um 00:03 schrieb Steve Wills:
> Hi,
>
> On 10/09/2017 17:55, Jan Beich wrote:
>> Why not
>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
>> packages?
>> Doing so would also provide a workaround for VuXML entries cancelled
>> to reduce bloat.
>
> I agree, pkg-au
Hi,
On 10/09/2017 17:55, Jan Beich wrote:
Steve Wills writes:
Hi,
On 10/09/2017 16:34, Jan Beich wrote:
Matthew Seaman writes:
On 09/10/2017 16:57, Roger Marquis wrote:
Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions
Steve Wills writes:
> Hi,
>
> On 10/09/2017 16:34, Jan Beich wrote:
>> Matthew Seaman writes:
>>
>>> On 09/10/2017 16:57, Roger Marquis wrote:
>>>
Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?
>
> I've been hacki
Hi,
On 10/09/2017 16:34, Jan Beich wrote:
Matthew Seaman writes:
On 09/10/2017 16:57, Roger Marquis wrote:
Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?
I've been hacking at a prototype for scanning what I can find:
Matthew Seaman writes:
> On 09/10/2017 16:57, Roger Marquis wrote:
>
>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>> there's no mention of it in the vulnerability database The tomcat8
>> port's Makefile also still points to the older, vulnerable version.
>> Tomcat is
On 09/10/2017 16:57, Roger Marquis wrote:
> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
> there's no mention of it in the vulnerability database The tomcat8
> port's Makefile also still points to the older, vulnerable version.
> Tomcat is one of those popular, internet-f
Hello,
They go by the public cve announcements. The audit db might be slow on
updatingBut really you should be following CVEs for any software you use
yourself that is mission critical
On Oct 9, 2017 11:01 AM, "Roger Marquis" wrote:
> Can anyone say what mechanisms the ports-security team might
Can anyone say what mechanisms the ports-security team might have in
place to monitor CVEs and port software versions?
The reason I ask is CVE-2017-12617 was announced almost a week ago yet
there's no mention of it in the vulnerability database The tomcat8
port's Makefile also still points to th
