Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 May 2015 11:06:54 +0200
From:      Terje Elde <terje@elde.net>
To:        Marko Turk <markoml@markoturk.info>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Postfix vulnarebility wrongly reported by pkg audit?
Message-ID:  <58DE831C-17C4-425A-8761-623137AE302F@elde.net>
In-Reply-To: <20150510080130.GC2534@vps.markoturk.info>
References:  <20150510080130.GC2534@vps.markoturk.info>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On 10 May 2015, at 10:01, Marko Turk <markoml@markoturk.info> wrote:
>=20
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities =
are
> from 2011).
>=20
> Is my version also vulnerable or is there an issue with version check?

I looked into this yesterday myself, and I=E2=80=99m pretty sure this is =
just an issue with the version check.

There was a commit yesterday which changed wildcards to zeroes for =
several ports, including postfix:
=
https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=3D385815&=
r2=3D385864

The reason was that wildcards are not valid version-numbers, yet they do =
indeed seem valid for VuXML-version matching:
=
https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html=


My guess is that this leads to the versjon-check logic throwing up your =
version of postfix as a false positive.

I fired off an email to the committer of the change, but no word yet.  =
Just been a few hours though.

Terje


--Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: Public key and proof available here: https://keybase.io/tld

iQEcBAEBCgAGBQJVTx+uAAoJEFS925qcwrKG1qMH/1JYb3GYXu7tZKNYWywWQ6IJ
lF9wEWFu4PUksOZBOi45gmck/PpQpFq9uLuKgcanE2j09018PafQmGsjDiS7gI9l
OiOHkID90wvSkDg3BHt0dzB8f7GBJGAPVLx1GYVu0IHGU06yrOjfWMbALPqM2RlB
Wg0TgRYAcmWuyLRX1eazYFgOnyPMnuQmDMqQn2Xu0DFDFh/C8eAEbAbxxyitHWik
QpWitXyadTINqJK0lB7S6ZKixgf7Dm1iQ0BhFu5+iYoM8XBLSN15hteP58P/1g+L
8UYwRp8IghwAsOX6+RFe2Z9VX0q+Chh9AXN50tq2ku05esTVxDd1cH4XnkcSzbM=
=mLiP
-----END PGP SIGNATURE-----

--Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?58DE831C-17C4-425A-8761-623137AE302F>