Date: Sun, 10 May 2015 11:06:54 +0200 From: Terje Elde <terje@elde.net> To: Marko Turk <markoml@markoturk.info> Cc: freebsd-questions@freebsd.org Subject: Re: Postfix vulnarebility wrongly reported by pkg audit? Message-ID: <58DE831C-17C4-425A-8761-623137AE302F@elde.net> In-Reply-To: <20150510080130.GC2534@vps.markoturk.info> References: <20150510080130.GC2534@vps.markoturk.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 10 May 2015, at 10:01, Marko Turk <markoml@markoturk.info> wrote: >=20 > today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit > tool. But, when I go to the web pages the tool outputs it says that my > version of postfix is not vulnerable (and that this vulnerabilities = are > from 2011). >=20 > Is my version also vulnerable or is there an issue with version check? I looked into this yesterday myself, and I=E2=80=99m pretty sure this is = just an issue with the version check. There was a commit yesterday which changed wildcards to zeroes for = several ports, including postfix: = https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=3D385815&= r2=3D385864 The reason was that wildcards are not valid version-numbers, yet they do = indeed seem valid for VuXML-version matching: = https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html= My guess is that this leads to the versjon-check logic throwing up your = version of postfix as a false positive. I fired off an email to the committer of the change, but no word yet. = Just been a few hours though. Terje --Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: Public key and proof available here: https://keybase.io/tld iQEcBAEBCgAGBQJVTx+uAAoJEFS925qcwrKG1qMH/1JYb3GYXu7tZKNYWywWQ6IJ lF9wEWFu4PUksOZBOi45gmck/PpQpFq9uLuKgcanE2j09018PafQmGsjDiS7gI9l OiOHkID90wvSkDg3BHt0dzB8f7GBJGAPVLx1GYVu0IHGU06yrOjfWMbALPqM2RlB Wg0TgRYAcmWuyLRX1eazYFgOnyPMnuQmDMqQn2Xu0DFDFh/C8eAEbAbxxyitHWik QpWitXyadTINqJK0lB7S6ZKixgf7Dm1iQ0BhFu5+iYoM8XBLSN15hteP58P/1g+L 8UYwRp8IghwAsOX6+RFe2Z9VX0q+Chh9AXN50tq2ku05esTVxDd1cH4XnkcSzbM= =mLiP -----END PGP SIGNATURE----- --Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58DE831C-17C4-425A-8761-623137AE302F>