From owner-freebsd-questions@FreeBSD.ORG  Wed May  7 07:27:43 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id ED8FCED2
 for <freebsd-questions@freebsd.org>; Wed,  7 May 2014 07:27:43 +0000 (UTC)
Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 637F7F94
 for <freebsd-questions@freebsd.org>; Wed,  7 May 2014 07:27:42 +0000 (UTC)
Received: from fileserver.home.qeng-ho.org (localhost [127.0.0.1])
 by fileserver.home.qeng-ho.org (8.14.7/8.14.5) with ESMTP id s477Lwpk063141;
 Wed, 7 May 2014 08:21:58 +0100 (BST)
 (envelope-from freebsd@qeng-ho.org)
Message-ID: <5369DF16.40000@qeng-ho.org>
Date: Wed, 07 May 2014 08:21:58 +0100
From: Arthur Chance <freebsd@qeng-ho.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "edflecko ." <edflecko@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: pkg audit disagrees with pkg upgrade ???
References: <CAFS4T6ZTGERL3a6DmkAhHMLG2C+NT6hbA--dgwwQZo9Gux_ogg@mail.gmail.com>
In-Reply-To: <CAFS4T6ZTGERL3a6DmkAhHMLG2C+NT6hbA--dgwwQZo9Gux_ogg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 07:27:44 -0000

On 06/05/2014 21:27, edflecko . wrote:
> I'm checking to see if I need to upgrade any installed packages. pkg audit
> -F says I have three vulnerabilities, but when I run pkg upgrade -y, it
> thinks everything is O.K. (see below)
>
> Why the discrepancy? Which one should I believe?

Apples and oranges. Just because a port has a vulnerability doesn't 
necessarily mean there's a newer version available yet.

> fbsd_box# pkg audit -F
>
> Vulnxml file up-to-date.
> linux-f10-expat-2.0.1 is vulnerable:
> expat2 -- Parser crash with specially formatted UTF-8 sequences
> CVE: CVE-2009-3720
> WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e-001aa0166822.html
>
> linux-f10-png-1.2.37_2 is vulnerable:
> png -- memory corruption/possible remote code execution
> CVE: CVE-2011-3048
> WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899-001ec9578670.html
>
> linux-f10-tiff-3.8.2 is vulnerable:
> tiff -- Multiple integer overflows
> CVE: CVE-2009-2347
> WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce-0018f3e2eb82.html
>
> 3 problem(s) in the installed packages found.
>
> fbsd_box# pkg upgrade -y
> Updating repository catalogue
> Nothing to do
>
>
> Ed
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>