From owner-freebsd-pkg@freebsd.org Mon Sep 7 08:07:29 2015 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04C5F9CCE8F for ; Mon, 7 Sep 2015 08:07:29 +0000 (UTC) (envelope-from marko@markoturk.info) Received: from vps.markoturk.info (vps.markoturk.info [95.154.208.14]) by mx1.freebsd.org (Postfix) with ESMTP id CA34B616 for ; Mon, 7 Sep 2015 08:07:28 +0000 (UTC) (envelope-from marko@markoturk.info) Received: by vps.markoturk.info (Postfix, from userid 1001) id EA16427390; Mon, 7 Sep 2015 09:59:15 +0200 (CEST) Date: Mon, 7 Sep 2015 09:59:15 +0200 From: Marko Turk To: freebsd-pkg@freebsd.org Subject: Pkg audit package not identified as vulnerable Message-ID: <20150907075915.GA1702@vps.markoturk.info> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 08:07:29 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I have both gstreamer1-libav and ffmpeg installed. Both are vulnerable (according to vuxml.freebsd.org) but pkg audit prints one package two times. Additionally, pkg audit -v prints only one package as vulnerable. Is this intended behavior? BR, Marko root@shkatula:~ # pkg audit gstreamer1-libav-1.4.5 is vulnerable: ffmpeg -- use after free CVE: CVE-2015-3417 WWW: https://vuxml.FreeBSD.org/freebsd/da434a78-e342-4d9a-87e2-7497e5f117ba.html gstreamer1-libav-1.4.5 is vulnerable: ffmpeg -- out-of-bounds array access CVE: CVE-2015-3395 WWW: https://vuxml.FreeBSD.org/freebsd/80c66af0-d1c5-449e-bd31-63b12525ff88.html 1 problem(s) in the installed packages found. root@shkatula:~ # pkg audit -q gstreamer1-libav-1.4.5 root@shkatula:~ # --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV7UPTAAoJEDcRe7P/w1sjnrMQAIuo3cWuZfS9aLtph2ZdBU+7 Bs11r+FWAwNSYnzr74E7ckAZx0jRrl7r3gjwekKsRRhIiZB3eVk0wT4toj2GY+CK VgdHQW0YpMW2Vqk19PbCysuwPVaH16t+HUrM6jOXXszvM/XR9xwA07+wPvqhmzMc pgh88QGgEXk5XM79vn6hZ1Bg+WfAwnYhRH2zAKmbGdYzh7Ot8tjEfhQoyRaYseMK 8l7SjiPAiYnLBzSan4lUTVcy5dKw57L0jJ987F9Bi/yXicMzvK+0v8l1LXJKoCGW Ve55JMwm44LZS9JRGlAKr6lRMCqY5oJ3UmJ32X0jpFX3DF/GmahTMoH+RTJ4pFmE jOgGlD3qRlwC5Y92BXnUUZLtcskJnmYnWymrf1qeCy6CrrrUwqrdf7e1TSjaIBO6 /T0v/uyeAGOrUhOt9j260U3xP/F5BjROZuL/TS7JW4jhACeKehDVx/lonJf71ye1 4mBHyWlJPZt9itMLszOwZ1dSbC1/uiGf3OlQLiBYJcXiswHIw/wBb9WMSMzpGojb bG54Mgg93BTJMfcRO8MgvgPMOR1kv44aURbbZmAb28gsbuNjOFeZ/D8CNb/F3RO5 JYFOd7/qUTdxb6ZYhSbnraMXO6HVXTh3kXp071xD9M/T+m7aFT/xKiZ43gQGsfT+ BXQDU4kXk9wC3ytYpicr =+6Nu -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--