Date: Mon, 7 Sep 2015 11:15:36 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Marko Turk <marko@markoturk.info> Cc: freebsd-pkg@freebsd.org Subject: Re: Pkg audit package not identified as vulnerable Message-ID: <20150907091536.GA38185@ivaldir.etoilebsd.net> In-Reply-To: <20150907075915.GA1702@vps.markoturk.info> References: <20150907075915.GA1702@vps.markoturk.info>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, Sep 07, 2015 at 09:59:15AM +0200, Marko Turk wrote: > Hi, > > I have both gstreamer1-libav and ffmpeg installed. Both are vulnerable > (according to vuxml.freebsd.org) but pkg audit prints one package > two times. Additionally, pkg audit -v prints only one package as > vulnerable. > > Is this intended behavior? > > BR, > Marko > > root@shkatula:~ # pkg audit > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- use after free > CVE: CVE-2015-3417 > WWW: https://vuxml.FreeBSD.org/freebsd/da434a78-e342-4d9a-87e2-7497e5f117ba.html > > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- out-of-bounds array access > CVE: CVE-2015-3395 > WWW: https://vuxml.FreeBSD.org/freebsd/80c66af0-d1c5-449e-bd31-63b12525ff88.html > > 1 problem(s) in the installed packages found. > > root@shkatula:~ # pkg audit -q > gstreamer1-libav-1.4.5 > root@shkatula:~ # Which version of ffmpeg do you have installed? Best regards, Bapt [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXtVbgACgkQ8kTtMUmk6Ewu0gCgutDNfvNP74c+VeBmM5RiP6t0 QEMAoLRhmWxdujEpRfjJQevo4h5qggHs =36tv -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150907091536.GA38185>