Date: Sun, 10 May 2015 11:06:54 +0200 From: Terje Elde <terje@elde.net> To: Marko Turk <markoml@markoturk.info> Cc: freebsd-questions@freebsd.org Subject: Re: Postfix vulnarebility wrongly reported by pkg audit? Message-ID: <58DE831C-17C4-425A-8761-623137AE302F@elde.net> In-Reply-To: <20150510080130.GC2534@vps.markoturk.info> References: <20150510080130.GC2534@vps.markoturk.info>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On 10 May 2015, at 10:01, Marko Turk <markoml@markoturk.info> wrote: > > today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit > tool. But, when I go to the web pages the tool outputs it says that my > version of postfix is not vulnerable (and that this vulnerabilities are > from 2011). > > Is my version also vulnerable or is there an issue with version check? I looked into this yesterday myself, and I’m pretty sure this is just an issue with the version check. There was a commit yesterday which changed wildcards to zeroes for several ports, including postfix: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=385815&r2=385864 The reason was that wildcards are not valid version-numbers, yet they do indeed seem valid for VuXML-version matching: https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html My guess is that this leads to the versjon-check logic throwing up your version of postfix as a false positive. I fired off an email to the committer of the change, but no word yet. Just been a few hours though. Terje [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: Public key and proof available here: https://keybase.io/tld iQEcBAEBCgAGBQJVTx+uAAoJEFS925qcwrKG1qMH/1JYb3GYXu7tZKNYWywWQ6IJ lF9wEWFu4PUksOZBOi45gmck/PpQpFq9uLuKgcanE2j09018PafQmGsjDiS7gI9l OiOHkID90wvSkDg3BHt0dzB8f7GBJGAPVLx1GYVu0IHGU06yrOjfWMbALPqM2RlB Wg0TgRYAcmWuyLRX1eazYFgOnyPMnuQmDMqQn2Xu0DFDFh/C8eAEbAbxxyitHWik QpWitXyadTINqJK0lB7S6ZKixgf7Dm1iQ0BhFu5+iYoM8XBLSN15hteP58P/1g+L 8UYwRp8IghwAsOX6+RFe2Z9VX0q+Chh9AXN50tq2ku05esTVxDd1cH4XnkcSzbM= =mLiP -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58DE831C-17C4-425A-8761-623137AE302F>