Kubilay Kocak writes:
> This (good) argument sounds primarily about classification and/or the
> ability or lack thereof to distinguish between types-of-things, which
> are not identical:
>
> * Explicit vulnerability ("Active", Official record (CVE, etc), will or
> likely/expected to be fixed)
> *
Am 24.08.2016 um 11:36 schrieb Xin Li:
>
>
> On 8/23/16 14:23, Gerhard Schmidt wrote:
>> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
>> possible vulnerability, but not a real one.
>
> Do you have an exact VuXML ID? I don't think vuxml actually warns about
> EoL'ed soft
< said:
> I maintain a local patch to preserve this functionality which was in
> portaudit but not in pkg audit. Perhaps not bullet proof, but simple
> enough to be sure it does what I want it to do.
I have an open bug against pkg that it doesn't have this feature.
Would you consider submittin
On 8/23/16 14:23, Gerhard Schmidt wrote:
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.
Do you have an exact VuXML ID? I don't think vuxml actually warns about
EoL'ed software, and it's likely that you have an actual issue, an
On Tue, 23 Aug 2016, Roger Marquis wrote:
There should be a way to state that the sysadmin is aware of the
outdated port and prevent pkg audit from reporting it
Agreed though I expect such a report would see little use.
I maintain a local patch to preserve this functionality which was in
po
Is an outdated (EOL) port a vulnerability? I don't think so. It's a
possible vulnerability, but not a real one.
Exactly. The meta-discussion we're having is regarding the word 'audit'
(in 'pkg audit'). When you or I audit a server or a site the client
always wants to know about potential vulne
On 23/08/2016 11:08 PM, Weldon Godfrey wrote:
> Gerhard Schmidt wrote:
>
>> Is an outdated (EOL) port a vulnerability? I don't think so. It's
>> a possible vulnerability, but not a real one.
>
> An EOL product is typically no longer tracked, analyzed, and
> corrected for security vulnerabilities
Gerhard Schmidt wrote:
> Is an outdated (EOL) port a vulnerability? I don't think so. It's a
> possible vulnerability, but not a real one.
An EOL product is typically no longer tracked, analyzed, and corrected
for security vulnerabilities. With this higher risk profile, it is
correct to assume
Am 22.08.2016 um 15:54 schrieb Roger Marquis:
>> today there was a new entry added to the vuxml file including all
>> outdated ports. Where is the value in this Entry.
>
> This is good news for many of us Gerhard, who depend on the output of
> 'pkg audit' for vulnerability information.
Is an ou
today there was a new entry added to the vuxml file including all
outdated ports. Where is the value in this Entry.
This is good news for many of us Gerhard, who depend on the output of
'pkg audit' for vulnerability information.
In this file should only are real vulnerabilities and not maybe
v
Hi,
today there was a new entry added to the vuxml file including all
outdated ports. Where is the value in this Entry. The Information is
already in the fact that the port has been removed.
In this file should only are real vulnerabilities and not maybe
vulnerable not existing ports.
Right now
11 matches
Mail list logo
