From owner-freebsd-questions@FreeBSD.ORG Mon Feb 16 22:12:27 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE07F615 for ; Mon, 16 Feb 2015 22:12:27 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7670BA51 for ; Mon, 16 Feb 2015 22:12:27 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YNTto-0005bu-5b for freebsd-questions@freebsd.org; Mon, 16 Feb 2015 23:12:16 +0100 Received: from 63-245-179-205.ip.mtelco.net ([63-245-179-205.ip.mtelco.net]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Feb 2015 23:12:16 +0100 Received: from jgoerzen by 63-245-179-205.ip.mtelco.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Feb 2015 23:12:16 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: John Goerzen Subject: pkg audit finds updates, but pkg upgrade doesn't Date: Mon, 16 Feb 2015 22:12:01 +0000 (UTC) Lines: 40 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 63.245.179.205 (Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2015 22:12:27 -0000 Hello, So this is a bit of an odd one. Is this a bug, or am I missing something? So I ran pkg audit today, and got this: root@freebsd-laptop:~ # pkg audit -F pkg: vulnxml file up-to-date xorg-server-1.14.7_1,1 is vulnerable: xorg-server -- Information leak in the XkbSetGeometry request of X servers. CVE: CVE-2015-0255 WWW: http://vuxml.FreeBSD.org/freebsd/54a69cf7-b2ef-11e4-b1f1-bcaec565249c.html 1 problem(s) in the installed packages found. OK, so far so good, right? I need a new xorg-server. But: root@freebsd-laptop:~ # pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. root@freebsd-laptop:~ # pkg upgrade Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking for upgrades (1 candidates): 100% Processing candidates (1 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date. Hmm. I can repeat these commands as often as I like, and still I get the same thing: xorg-server is vulnerable, but my packages are up-to-date. That issue has been in FreeBSD's vulnerability database for almost a week, so presumably I'm not just seeing mirror lag or something here. Any ideas? Thanks, John