Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 May 2016 10:27:36 +0200
From:      Christoph Pilka <c.pilka@asconix.com>
To:        freebsd-questions@freebsd.org
Subject:   pkg audit systemwide vs pkg audit packagewise
Message-ID:  <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com>

next in thread | raw e-mail | index | archive | help
Hi,

I have a sort of weird behaviour when it comes to pkg audits. Same =
system:

#~ pkg audit -F

tells me:

	Fetching vuln.xml.bz2: 100%  595 KiB 609.6kB/s    00:01   =20
	0 problem(s) in the installed packages found.

but running pkg audit for a specific package, e.g. bash:

#~ pkg audit -F bash

tells me:

	Fetching vuln.xml.bz2: 100%  595 KiB 609.6kB/s    00:01   =20
	bash is vulnerable:=09
	Affected versions:
	< 4.3.25_2
	bash -- remote code execution
	CVE: CVE-2014-6278
	CVE: CVE-2014-6277
	WWW: =
https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.htm=
l

	bash is vulnerable:
	Affected versions:
	< 4.3.27_1
	bash -- out-of-bounds memory access in parser
	CVE: CVE-2014-7187
	CVE: CVE-2014-7186
	WWW: =
https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.htm=
l

	bash is vulnerable:
	Affected versions:
	> 4.3 : < 4.3.25_1
	> 4.2 : <=3D 4.2.48
	> 4.1 : <=3D 4.1.12
	> 4.0 : <=3D 4.0.39
	> 3.2 : <=3D 3.2.52
	> 3.1 : <=3D 3.1.18
	> 3.0 : <=3D 3.0.17
	bash -- remote code execution vulnerability
	CVE: CVE-2014-7169
	CVE: CVE-2014-6271
	WWW: =
https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.htm=
l

	1 problem(s) in the installed packages found.

That's confusing, especially because no one of the version numbers in =
the CVE's listed above does actually match the version of bash that is =
installed on the system:

#~ pkg info bash | grep ^Version

	Version        : 4.3.42_1

Am I doing something wrong or is it actually a bug?

Cheerio,
Chris=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1D71A8D8-2CD8-4C89-93BB-A53F48BE8588>