Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 May 2015 02:08:19 -0700
From:      David Benfell <benfell@parts-unknown.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Postfix vulnarebility wrongly reported by pkg audit?
Message-ID:  <20150510020819.Horde.eC28WWwjJ0tJo9WbqQ-sno0@mail.parts-unknown.org>
In-Reply-To: <20150510080130.GC2534@vps.markoturk.info>

next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.

--=_7lquv8cp-bqlJsnmoM7iZmT
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Quoting Marko Turk <markoml@markoturk.info>:
>
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).

If I understood correctly, the problem is with the ownership of=20=20
/var/db/postfix.=20But to be honest, I don't see how it's in fact a=20=20
vulnerability.=20The complaint is that the ownership is set to root=20=20
rather=20than postfix.

When I look at my instance, I see:

[benfell@home ~]% ls -ald /var/db/postfix
drwx------  2 postfix  wheel  512 Apr 16 01:07 /var/db/postfix

Now, I can see how root ownership might prevent postfix from working.=20=20
Not=20how it's a vulnerability. And it seems that at least on my=20=20
instance,=20it is correctly set, anyhow. So I'm just confused.


--=20
David=20Benfell <benfell@parts-unknown.org>

--=_7lquv8cp-bqlJsnmoM7iZmT
Content-Type: application/pgp-signature
Content-Description: PGP Digital Signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJVTyADAAoJEBV64x4SNmArdc0QAIWA0TWKb+HNinWilqB1zK8E
cCFLsNJljL5tQKYxNtlhlKTfy+vaVaCwsuLxIwGkTV7kPsSH8TCSNcMV2iZvpHe7
dQpt6G7J3kc0OqVR25HW9dnrlcmvZi7WvN9xzmc5zRbF6OxGGNRu4q8nOLhib7ui
7+6H5TOI/lngum0JbyamU/1GKGlMNNmizIK8rJMmpfq2lN8Z5ctpnJRb0OY9F2c3
nR32f77YZlnviKxO9e5rYpE3bLXgYP51qiKWuKtBYo1HYaxkrGiQhbAqJd8qA590
EODvsy66v8AYDobACpY1eFQK0t3F+HhNt/WhyBgsU2IOoqedAJb7b5O4JvTNXmBg
Ou8nCHgsWnG/CcKrFR5lbPcJap0gRWrXyfXl2m+QGRKYUrL1plQUHiaDcAyMwTBo
Eq2SCAga+Zq0OTwnlZa2M9lc2lLp12Up9BnyfxmobbbrOwRnIcOu4iZiZSdaaeeR
tcYBWW/6nGxw7kuyE/QT8rOVKcNCx8K9JJ65FN7qaN+NZAYn4pKGvSinKSc/nYVZ
ConUxF2OSgXfxDEIlpVZzsF4KOf+p6EGZaD6xs0Z0+Vn2bNrxTi1p01CHtOizWGS
fzg6dBCOS3QnqFJACmQr5XhqwNVgUNEfSty5SO6CSncd+dPNDRhP0lffSbPzPW7s
JsO18XKrIOUQGP4o9n7m
=OBfD
-----END PGP SIGNATURE-----

--=_7lquv8cp-bqlJsnmoM7iZmT--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150510020819.Horde.eC28WWwjJ0tJo9WbqQ-sno0>