Date: Mon, 7 Sep 2015 11:15:36 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Marko Turk <marko@markoturk.info> Cc: freebsd-pkg@freebsd.org Subject: Re: Pkg audit package not identified as vulnerable Message-ID: <20150907091536.GA38185@ivaldir.etoilebsd.net> In-Reply-To: <20150907075915.GA1702@vps.markoturk.info> References: <20150907075915.GA1702@vps.markoturk.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 07, 2015 at 09:59:15AM +0200, Marko Turk wrote: > Hi, >=20 > I have both gstreamer1-libav and ffmpeg installed. Both are vulnerable > (according to vuxml.freebsd.org) but pkg audit prints one package > two times. Additionally, pkg audit -v prints only one package as > vulnerable. >=20 > Is this intended behavior? >=20 > BR, > Marko >=20 > root@shkatula:~ # pkg audit > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- use after free > CVE: CVE-2015-3417 > WWW: https://vuxml.FreeBSD.org/freebsd/da434a78-e342-4d9a-87e2-7497e5f117= ba.html >=20 > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- out-of-bounds array access > CVE: CVE-2015-3395 > WWW: https://vuxml.FreeBSD.org/freebsd/80c66af0-d1c5-449e-bd31-63b12525ff= 88.html >=20 > 1 problem(s) in the installed packages found. >=20 > root@shkatula:~ # pkg audit -q > gstreamer1-libav-1.4.5 > root@shkatula:~ # Which version of ffmpeg do you have installed? Best regards, Bapt --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXtVbgACgkQ8kTtMUmk6Ewu0gCgutDNfvNP74c+VeBmM5RiP6t0 QEMAoLRhmWxdujEpRfjJQevo4h5qggHs =36tv -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150907091536.GA38185>