Date: Tue, 3 May 2016 10:27:36 +0200 From: Christoph Pilka <c.pilka@asconix.com> To: freebsd-questions@freebsd.org Subject: pkg audit systemwide vs pkg audit packagewise Message-ID: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com>
next in thread | raw e-mail | index | archive | help
Hi, I have a sort of weird behaviour when it comes to pkg audits. Same = system: #~ pkg audit -F tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 =20 0 problem(s) in the installed packages found. but running pkg audit for a specific package, e.g. bash: #~ pkg audit -F bash tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 =20 bash is vulnerable:=09 Affected versions: < 4.3.25_2 bash -- remote code execution CVE: CVE-2014-6278 CVE: CVE-2014-6277 WWW: = https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.htm= l bash is vulnerable: Affected versions: < 4.3.27_1 bash -- out-of-bounds memory access in parser CVE: CVE-2014-7187 CVE: CVE-2014-7186 WWW: = https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.htm= l bash is vulnerable: Affected versions: > 4.3 : < 4.3.25_1 > 4.2 : <=3D 4.2.48 > 4.1 : <=3D 4.1.12 > 4.0 : <=3D 4.0.39 > 3.2 : <=3D 3.2.52 > 3.1 : <=3D 3.1.18 > 3.0 : <=3D 3.0.17 bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: = https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.htm= l 1 problem(s) in the installed packages found. That's confusing, especially because no one of the version numbers in = the CVE's listed above does actually match the version of bash that is = installed on the system: #~ pkg info bash | grep ^Version Version : 4.3.42_1 Am I doing something wrong or is it actually a bug? Cheerio, Chris=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1D71A8D8-2CD8-4C89-93BB-A53F48BE8588>