Date: Tue, 3 May 2016 13:44:12 +0200 From: Ben Woods <woodsb02@gmail.com> To: Christoph Pilka <c.pilka@asconix.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: pkg audit systemwide vs pkg audit packagewise Message-ID: <CAOc73CAhMs7qmk=6vvzqUaCYcq1R5=BRH9SUP=KvLEGyZBmMfQ@mail.gmail.com> In-Reply-To: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com> References: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 3 May 2016, Christoph Pilka <c.pilka@asconix.com> wrote: > Hi, > > I have a sort of weird behaviour when it comes to pkg audits. Same system: > > #~ pkg audit -F > > tells me: > > Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 > 0 problem(s) in the installed packages found. > > but running pkg audit for a specific package, e.g. bash: > > #~ pkg audit -F bash > > tells me: > > Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 > bash is vulnerable: > Affected versions: > < 4.3.25_2 > bash -- remote code execution > CVE: CVE-2014-6278 > CVE: CVE-2014-6277 > WWW: > https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html > > bash is vulnerable: > Affected versions: > < 4.3.27_1 > bash -- out-of-bounds memory access in parser > CVE: CVE-2014-7187 > CVE: CVE-2014-7186 > WWW: > https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html > > bash is vulnerable: > Affected versions: > > 4.3 : < 4.3.25_1 > > 4.2 : <= 4.2.48 > > 4.1 : <= 4.1.12 > > 4.0 : <= 4.0.39 > > 3.2 : <= 3.2.52 > > 3.1 : <= 3.1.18 > > 3.0 : <= 3.0.17 > bash -- remote code execution vulnerability > CVE: CVE-2014-7169 > CVE: CVE-2014-6271 > WWW: > https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html > > 1 problem(s) in the installed packages found. > > That's confusing, especially because no one of the version numbers in the > CVE's listed above does actually match the version of bash that is > installed on the system: > > #~ pkg info bash | grep ^Version > > Version : 4.3.42_1 > > Am I doing something wrong or is it actually a bug? > > Cheerio, > Chris > Hi Chris, Whilst this behaviour is not described in the pkg-audit(8) man page, it appears that when "pkg audit" is run without a specific package name it only shows vulnerabilities that affect the install versions of packages, whilst when fun with a specific package is shows all vulnerabilities whether the installed package versions are affected or not. If you review the output of "pkg audit -F bash" you will notice that none of the vulnerabilities affect your installed version of bash 4.3.42_1. Regards, Ben -- -- From: Benjamin Woods woodsb02@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CAhMs7qmk=6vvzqUaCYcq1R5=BRH9SUP=KvLEGyZBmMfQ>