From owner-freebsd-questions@FreeBSD.ORG Sun May 10 09:07:04 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BC9928C1 for ; Sun, 10 May 2015 09:07:04 +0000 (UTC) Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "keepquiet.net", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 79F101436 for ; Sun, 10 May 2015 09:07:03 +0000 (UTC) Received: from [10.130.10.108] (cm-84.210.76.250.getinternet.no [84.210.76.250]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by rand.keepquiet.net (Postfix) with ESMTPSA id 05D6ACBE; Sun, 10 May 2015 09:06:59 +0000 (UTC) Subject: Re: Postfix vulnarebility wrongly reported by pkg audit? Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Content-Type: multipart/signed; boundary="Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5b6 From: Terje Elde In-Reply-To: <20150510080130.GC2534@vps.markoturk.info> Date: Sun, 10 May 2015 11:06:54 +0200 Cc: freebsd-questions@freebsd.org Message-Id: <58DE831C-17C4-425A-8761-623137AE302F@elde.net> References: <20150510080130.GC2534@vps.markoturk.info> To: Marko Turk X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 May 2015 09:07:04 -0000 --Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 10 May 2015, at 10:01, Marko Turk wrote: >=20 > today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit > tool. But, when I go to the web pages the tool outputs it says that my > version of postfix is not vulnerable (and that this vulnerabilities = are > from 2011). >=20 > Is my version also vulnerable or is there an issue with version check? I looked into this yesterday myself, and I=E2=80=99m pretty sure this is = just an issue with the version check. There was a commit yesterday which changed wildcards to zeroes for = several ports, including postfix: = https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=3D385815&= r2=3D385864 The reason was that wildcards are not valid version-numbers, yet they do = indeed seem valid for VuXML-version matching: = https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html= My guess is that this leads to the versjon-check logic throwing up your = version of postfix as a false positive. I fired off an email to the committer of the change, but no word yet. = Just been a few hours though. Terje --Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: Public key and proof available here: https://keybase.io/tld iQEcBAEBCgAGBQJVTx+uAAoJEFS925qcwrKG1qMH/1JYb3GYXu7tZKNYWywWQ6IJ lF9wEWFu4PUksOZBOi45gmck/PpQpFq9uLuKgcanE2j09018PafQmGsjDiS7gI9l OiOHkID90wvSkDg3BHt0dzB8f7GBJGAPVLx1GYVu0IHGU06yrOjfWMbALPqM2RlB Wg0TgRYAcmWuyLRX1eazYFgOnyPMnuQmDMqQn2Xu0DFDFh/C8eAEbAbxxyitHWik QpWitXyadTINqJK0lB7S6ZKixgf7Dm1iQ0BhFu5+iYoM8XBLSN15hteP58P/1g+L 8UYwRp8IghwAsOX6+RFe2Z9VX0q+Chh9AXN50tq2ku05esTVxDd1cH4XnkcSzbM= =mLiP -----END PGP SIGNATURE----- --Apple-Mail=_873ACB18-7AEB-4ECC-B22F-B1940506CCC6--