Date: Sat, 12 Dec 2020 19:45:38 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 251790] security/base-audit: incorrectly reports that 12.2p2 is vuln Message-ID: <bug-251790-7788-WRHOSNiyIq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-251790-7788@https.bugs.freebsd.org/bugzilla/> References: <bug-251790-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251790 --- Comment #2 from Miroslav Lachman <000.fbsd@quip.cz> --- If there is some problem then I think it is not in base-audit but in "pkg audit" or vuln.xml I just checked the commands called by base-audit script: % pkg audit FreeBSD-kernel-12.2_1 0 problem(s) in 0 installed package(s) found. % pkg audit FreeBSD-kernel-12.2_2 0 problem(s) in 0 installed package(s) found. % pkg audit FreeBSD-12.2_1 FreeBSD-12.2_1 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. % pkg audit FreeBSD-12.2_2 FreeBSD-12.2_2 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. So "pkg audit" reports both userland versions as vulnerable and both Kernel versions as fixed. For the record - kernel version does not matter when base-audit checks jails because it is not used in this check. base-audit script extracts the jails userland version by this command: jexec $jid freebsd-version -u --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251790-7788-WRHOSNiyIq>