From owner-freebsd-questions@FreeBSD.ORG  Tue May  6 20:27:12 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9891FF77
 for <freebsd-questions@freebsd.org>; Tue,  6 May 2014 20:27:12 +0000 (UTC)
Received: from mail-oa0-x236.google.com (mail-oa0-x236.google.com
 [IPv6:2607:f8b0:4003:c02::236])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 64459F93
 for <freebsd-questions@freebsd.org>; Tue,  6 May 2014 20:27:12 +0000 (UTC)
Received: by mail-oa0-f54.google.com with SMTP id j17so11693oag.41
 for <freebsd-questions@freebsd.org>; Tue, 06 May 2014 13:27:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=YhthumWjaQ0t0LieOYAoLCz59rH9E3EC9TUp47vp5ho=;
 b=u/E/UA6eWyqyg+crCSyn7vEOMvSd+wLLzBeQVXGjFltMhylt8++HAcENhVgUA3ZqrB
 vClUrX163Q4kGCq5mfRHdfF/HsCFMCNVV9UeTKb1DYn1YNqe5ODfNI3g5Kfjk5T+wK0W
 Kjo4/CkpYJ/CV1qzrUwAFQK1qwKeWZmsB+HYiUoTFadapbtQD95RdmdXNv6SGfmgLCPP
 5pxQjVxswHXr0M9HoJ0Tog67rSrJ3oZmREjS6+QoqTJiURPrhfXkZMr68T9YK7Js6fdA
 mLwNtA/RNBzXzJJnHnUffbXnXNkT9cQRmLTBlaodjuw8KTMyAZ4L/LX1OEAws7NOArfl
 NiUg==
MIME-Version: 1.0
X-Received: by 10.182.43.132 with SMTP id w4mr40372596obl.41.1399408031363;
 Tue, 06 May 2014 13:27:11 -0700 (PDT)
Received: by 10.60.144.137 with HTTP; Tue, 6 May 2014 13:27:11 -0700 (PDT)
Date: Tue, 6 May 2014 13:27:11 -0700
Message-ID: <CAFS4T6ZTGERL3a6DmkAhHMLG2C+NT6hbA--dgwwQZo9Gux_ogg@mail.gmail.com>
Subject: pkg audit disagrees with pkg upgrade ???
From: "edflecko ." <edflecko@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 20:27:12 -0000

I'm checking to see if I need to upgrade any installed packages. pkg audit
-F says I have three vulnerabilities, but when I run pkg upgrade -y, it
thinks everything is O.K. (see below)

Why the discrepancy? Which one should I believe?


fbsd_box# pkg audit -F

Vulnxml file up-to-date.
linux-f10-expat-2.0.1 is vulnerable:
expat2 -- Parser crash with specially formatted UTF-8 sequences
CVE: CVE-2009-3720
WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e-001aa0166822.html

linux-f10-png-1.2.37_2 is vulnerable:
png -- memory corruption/possible remote code execution
CVE: CVE-2011-3048
WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899-001ec9578670.html

linux-f10-tiff-3.8.2 is vulnerable:
tiff -- Multiple integer overflows
CVE: CVE-2009-2347
WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce-0018f3e2eb82.html

3 problem(s) in the installed packages found.

fbsd_box# pkg upgrade -y
Updating repository catalogue
Nothing to do


Ed