From owner-freebsd-questions@freebsd.org Tue May 3 11:44:14 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B93AB2B846 for ; Tue, 3 May 2016 11:44:14 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 52B861D0E for ; Tue, 3 May 2016 11:44:14 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-wm0-x235.google.com with SMTP id g17so33946260wme.1 for ; Tue, 03 May 2016 04:44:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=ms0ekZP/+LKMy9ZehVE5CtHrmvbpWQmPXjuGx57wgUU=; b=DUVxJtw5BkqruKjnBFiYlEQEVkpMmV1BfKrPOFQeWPvATlWO3tr5xc4MN8dZ1m9ZDu NhH5GZMfTrIlVxCehDizicKLp7nBpH4z1mbM+2tp+Q5wTjcD0OjAtbssg+NGzQO+aaI5 kVf0ARjBxH4YJ9IL+byQ4tRSOIcqn0kr+LbaHj/l3q8lNuFiiaEmf/G17HAyqypGXUL0 L5Fyh4MBZ9bFOlZcVUA9KkV7XAtu6cndu6Jb+vHVzeSjiC42aLKRu4M+nTMGXrsclnVq P9o//FN01Rp4bT0Waoovj95Nu/oAdpiqalDYHGruL1eOphkZYqf2kb2FY4n2Dlj6oAWd pfwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=ms0ekZP/+LKMy9ZehVE5CtHrmvbpWQmPXjuGx57wgUU=; b=U8zCM0flUCuBLUb6LeMy1TMIDRaPvfMNkDzpb7I+rxuKeSJWAHNUZIN8mgkoaFabf5 sRXmNh9xAtKgwS0IE1tzO6Hv3/9BhtCToHPrq4ZQYgh1f4WdL4YTzVPR5p8TQq+ej+J7 yiwZ1Z1VmBalmVFY6TQaE+K7dH8igHbKA0F+zeAZQtWJe9tfjjAyeJZUhQZ8TcareY/I mXN9DvME9O+NVEGs/51036eWssIylSRjPLQZWyFVTF2Ix83c2be99W7YQC/S1zkv8mfW hwRILc/EUM7kB01yRTFd/oHvaqPAfpEUFRl8g20wc8c609Wpt16QgiCFTD67T7xFCqRc CIVQ== X-Gm-Message-State: AOPr4FV0pSzfi7q/5UHSMQs0zKoLNq33gbq/NOugSOyTzqVEJRkIvLWZleqpa+deO3NgPdPLOucKiRR6isN8fA== MIME-Version: 1.0 X-Received: by 10.194.203.138 with SMTP id kq10mr2410502wjc.155.1462275852811; Tue, 03 May 2016 04:44:12 -0700 (PDT) Received: by 10.194.16.201 with HTTP; Tue, 3 May 2016 04:44:12 -0700 (PDT) In-Reply-To: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com> References: <1D71A8D8-2CD8-4C89-93BB-A53F48BE8588@asconix.com> Date: Tue, 3 May 2016 13:44:12 +0200 Message-ID: Subject: Re: pkg audit systemwide vs pkg audit packagewise From: Ben Woods To: Christoph Pilka Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 11:44:14 -0000 On Tuesday, 3 May 2016, Christoph Pilka wrote: > Hi, > > I have a sort of weird behaviour when it comes to pkg audits. Same system: > > #~ pkg audit -F > > tells me: > > Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 > 0 problem(s) in the installed packages found. > > but running pkg audit for a specific package, e.g. bash: > > #~ pkg audit -F bash > > tells me: > > Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01 > bash is vulnerable: > Affected versions: > < 4.3.25_2 > bash -- remote code execution > CVE: CVE-2014-6278 > CVE: CVE-2014-6277 > WWW: > https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html > > bash is vulnerable: > Affected versions: > < 4.3.27_1 > bash -- out-of-bounds memory access in parser > CVE: CVE-2014-7187 > CVE: CVE-2014-7186 > WWW: > https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html > > bash is vulnerable: > Affected versions: > > 4.3 : < 4.3.25_1 > > 4.2 : <= 4.2.48 > > 4.1 : <= 4.1.12 > > 4.0 : <= 4.0.39 > > 3.2 : <= 3.2.52 > > 3.1 : <= 3.1.18 > > 3.0 : <= 3.0.17 > bash -- remote code execution vulnerability > CVE: CVE-2014-7169 > CVE: CVE-2014-6271 > WWW: > https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html > > 1 problem(s) in the installed packages found. > > That's confusing, especially because no one of the version numbers in the > CVE's listed above does actually match the version of bash that is > installed on the system: > > #~ pkg info bash | grep ^Version > > Version : 4.3.42_1 > > Am I doing something wrong or is it actually a bug? > > Cheerio, > Chris > Hi Chris, Whilst this behaviour is not described in the pkg-audit(8) man page, it appears that when "pkg audit" is run without a specific package name it only shows vulnerabilities that affect the install versions of packages, whilst when fun with a specific package is shows all vulnerabilities whether the installed package versions are affected or not. If you review the output of "pkg audit -F bash" you will notice that none of the vulnerabilities affect your installed version of bash 4.3.42_1. Regards, Ben -- -- From: Benjamin Woods woodsb02@gmail.com