Date: Fri, 04 Sep 2020 15:03:09 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 249110] security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit Message-ID: <bug-249110-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D249110 Bug ID: 249110 Summary: security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: adamw@FreeBSD.org Reporter: jjuanino@gmail.com Flags: maintainer-feedback?(adamw@FreeBSD.org) Assignee: adamw@FreeBSD.org Hi, I have updated security/gnupg to 2.2.23 version to address CVE-2013-457= 6, but the port is still considered vulnerable by pkg audit: # pkg info -x gnupg gnupg-2.2.23 # pkg audit gnupg-2.2.23 gnupg-2.2.23 is vulnerable: gnupg -- AEAD key import overflow CVE: CVE-2020-25125 WWW: https://vuxml.FreeBSD.org/freebsd/f9fa7adc-ee51-11ea-a240-002590acae31.html 1 problem(s) in 1 installed package(s) found. I have inspected the registered item in vuxml database and it seems to be f= ine: <vuln vid=3D"f9fa7adc-ee51-11ea-a240-002590acae31"> <topic>gnupg -- AEAD key import overflow</topic> <affects> <package> <name>gnupg</name> <range><ge>2.2.21</ge></range> <range><lt>2.2.23</lt></range> </package> As you can see, 2.2.23 is out of the range, and therefore 2.2.23 is not vulnerable. Am I doing something wrong or misunderstanding something? Regards --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-249110-7788>