From owner-freebsd-questions@FreeBSD.ORG Wed May 7 14:51:23 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB17D9DC for ; Wed, 7 May 2014 14:51:23 +0000 (UTC) Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 74A4814C for ; Wed, 7 May 2014 14:51:23 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id wn1so1336937obc.27 for ; Wed, 07 May 2014 07:51:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=HJRPiC8yc+tscojYnDKOYddT/0QgiSJa2ownnzP0EKs=; b=yjX9aNg37dyUn1t/NYtulA/7T+GzoodZPAFhmg2Iu65RwS8Tde8MsQ1vSYrScq3/U5 tKHI4GEbATKrW4estIW2geMdvpD7vp8voQTBZXCG7VOiNdNocdEYY5h7nEWG7IWHnXFy n+cBIRync7ndjCeS57sHxk9CzgbQV1sJwnPRWjCCVQXI80Ywlu+iymkW09VebBoYS2+y wT0jKaQBKd+bQ99zDCff+VHkjHSKWVy5rQnAXmYedhJgBhgNPquwKkIuDhAmJ/TFaqPp CyDPNjO/7Mvh83KFssrnTSjMCiSPDKhOC49DTQ+eQV+hsiVb0IVfvFlb0FIZ+GIBeF0V qb2w== MIME-Version: 1.0 X-Received: by 10.60.54.38 with SMTP id g6mr3075614oep.79.1399474282734; Wed, 07 May 2014 07:51:22 -0700 (PDT) Received: by 10.60.144.137 with HTTP; Wed, 7 May 2014 07:51:22 -0700 (PDT) In-Reply-To: <5369DF16.40000@qeng-ho.org> References: <5369DF16.40000@qeng-ho.org> Date: Wed, 7 May 2014 07:51:22 -0700 Message-ID: Subject: Re: pkg audit disagrees with pkg upgrade ??? From: "edflecko ." To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 14:51:23 -0000 Great, thank you. Is there a way to see what package(s) is specifically using these dependent packages? I might choose to remove the host package, for security reasons, and thereby remove these as well. Ed On Wed, May 7, 2014 at 12:21 AM, Arthur Chance wrote: > On 06/05/2014 21:27, edflecko . wrote: > >> I'm checking to see if I need to upgrade any installed packages. pkg audit >> -F says I have three vulnerabilities, but when I run pkg upgrade -y, it >> thinks everything is O.K. (see below) >> >> Why the discrepancy? Which one should I believe? >> > > Apples and oranges. Just because a port has a vulnerability doesn't > necessarily mean there's a newer version available yet. > > fbsd_box# pkg audit -F >> >> Vulnxml file up-to-date. >> linux-f10-expat-2.0.1 is vulnerable: >> expat2 -- Parser crash with specially formatted UTF-8 sequences >> CVE: CVE-2009-3720 >> WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e- >> 001aa0166822.html >> >> linux-f10-png-1.2.37_2 is vulnerable: >> png -- memory corruption/possible remote code execution >> CVE: CVE-2011-3048 >> WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899- >> 001ec9578670.html >> >> linux-f10-tiff-3.8.2 is vulnerable: >> tiff -- Multiple integer overflows >> CVE: CVE-2009-2347 >> WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce- >> 0018f3e2eb82.html >> >> 3 problem(s) in the installed packages found. >> >> fbsd_box# pkg upgrade -y >> Updating repository catalogue >> Nothing to do >> >> >> Ed >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org" >> >> >