Date: Tue, 3 May 2016 10:27:36 +0200 From: Christoph Pilka <c.pilka@asconix.com> To: freebsd-questions@freebsd.org Subject: pkg audit systemwide vs pkg audit packagewise Message-ID: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com>
next in thread | raw e-mail | index | archive | help
Hi, I have a sort of weird behaviour when it comes to pkg audits. Same system: #~ pkg audit -F tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 0 problem(s) in the installed packages found. but running pkg audit for a specific package, e.g. bash: #~ pkg audit -F bash tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 bash is vulnerable: Affected versions: < 4.3.25_2 bash -- remote code execution CVE: CVE-2014-6278 CVE: CVE-2014-6277 WWW: https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html bash is vulnerable: Affected versions: < 4.3.27_1 bash -- out-of-bounds memory access in parser CVE: CVE-2014-7187 CVE: CVE-2014-7186 WWW: https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html bash is vulnerable: Affected versions: > 4.3 : < 4.3.25_1 > 4.2 : <= 4.2.48 > 4.1 : <= 4.1.12 > 4.0 : <= 4.0.39 > 3.2 : <= 3.2.52 > 3.1 : <= 3.1.18 > 3.0 : <= 3.0.17 bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html 1 problem(s) in the installed packages found. That's confusing, especially because no one of the version numbers in the CVE's listed above does actually match the version of bash that is installed on the system: #~ pkg info bash | grep ^Version Version : 4.3.42_1 Am I doing something wrong or is it actually a bug? Cheerio, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1D71A8D8-2CD8-4C89-93BB-A53F48BE8588>