From owner-freebsd-questions@freebsd.org Tue May 3 08:48:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89187B2A4CF for ; Tue, 3 May 2016 08:48:18 +0000 (UTC) (envelope-from c.pilka@asconix.com) Received: from aibo.runbox.com (aibo.runbox.com [91.220.196.211]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 16C08133C for ; Tue, 3 May 2016 08:48:17 +0000 (UTC) (envelope-from c.pilka@asconix.com) Received: from [10.9.9.212] (helo=mailfront12.runbox.com) by bars.runbox.com with esmtp (Exim 4.71) (envelope-from ) id 1axVgT-0001SO-NT for freebsd-questions@freebsd.org; Tue, 03 May 2016 10:27:57 +0200 Received: from s1853520284.blix.com ([185.35.202.84] helo=[10.3.10.126]) by mailfront12.runbox.com with esmtpsa (uid:865152 ) (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1axVg8-0008Bn-Co for freebsd-questions@freebsd.org; Tue, 03 May 2016 10:27:36 +0200 From: Christoph Pilka Subject: pkg audit systemwide vs pkg audit packagewise Message-Id: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com> Date: Tue, 3 May 2016 10:27:36 +0200 To: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 08:48:18 -0000 Hi, I have a sort of weird behaviour when it comes to pkg audits. Same = system: #~ pkg audit -F tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 =20 0 problem(s) in the installed packages found. but running pkg audit for a specific package, e.g. bash: #~ pkg audit -F bash tells me: Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 =20 bash is vulnerable:=09 Affected versions: < 4.3.25_2 bash -- remote code execution CVE: CVE-2014-6278 CVE: CVE-2014-6277 WWW: = https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.htm= l bash is vulnerable: Affected versions: < 4.3.27_1 bash -- out-of-bounds memory access in parser CVE: CVE-2014-7187 CVE: CVE-2014-7186 WWW: = https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.htm= l bash is vulnerable: Affected versions: > 4.3 : < 4.3.25_1 > 4.2 : <=3D 4.2.48 > 4.1 : <=3D 4.1.12 > 4.0 : <=3D 4.0.39 > 3.2 : <=3D 3.2.52 > 3.1 : <=3D 3.1.18 > 3.0 : <=3D 3.0.17 bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: = https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.htm= l 1 problem(s) in the installed packages found. That's confusing, especially because no one of the version numbers in = the CVE's listed above does actually match the version of bash that is = installed on the system: #~ pkg info bash | grep ^Version Version : 4.3.42_1 Am I doing something wrong or is it actually a bug? Cheerio, Chris=