Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Oct 2006 18:10:53 -0700
From:      James Long <list@museum.rain.com>
To:        freebsd-questions@freebsd.org
Subject:   portaudit thinks a vulnerability just disappeared
Message-ID:  <20061017011053.GA9364@ns.museum.rain.com>
next in thread | raw e-mail | index | archive | help 
I have a 4.11-RELEASE system.

Prior to doing some minor portupdates, I had this portaudit report:

Checking for packages with security vulnerabilities:

Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>;

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>;

Affected package: ruby-1.8.4_3,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>;

Affected package: apache+mod_ssl-1.3.34+2.8.25_2
Type of problem: apache -- mod_rewrite buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html>;

Affected package: mutt-1.4.2.1_2
Type of problem: mutt -- Remote Buffer Overflow Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/d2a43243-087b-11db-bc36-0008743bf21a.html>;

5 problem(s) in your installed packages found.


I cvsup'ped my ports tree and portupgraded ruby, mutt and portaudit, 
but not any of their dependencies (since version number changes were 
minor).

portaudit -aF now thinks:

www : 17:59:17 /root# portaudit -aF
auditfile.tbz                                 100% of   38 kB  138 kBps
New database installed.
Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>;

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>;

2 problem(s) in your installed packages found.


Why does portaudit think the apache+mod_ssl problem went away?  The 
installed version is still:

apache+mod_ssl-1.3.34+2.8.25_2 The Apache 1.3 webserver with SSL/TLS functionality


Thanks!

Jim

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061017011053.GA9364>