[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 29 Apr 2025 20:34:47 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286455

            Bug ID: 286455
           Summary: pkg-audit(8) listing false positives for librewolf
                    v137.0.2 with "vuln.xml" of 20250425
           Product: Base System
           Version: 14.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: ax61@disroot.org

For some reason "pkg-audit(8)" ("pkg" v2.1.2) is listing past 6 vulnerabilities
for "librewolf" v137.0.2.

pkg info --regex 'librewo|firefox'
librewolf-137.0.2
firefox-esr-128.10.0,1

pkg audit -F
vulnxml file up-to-date
librewolf-137.0.2 is vulnerable:
  mozilla -- Memory safety bugs
  CVE: CVE-2025-1937
  WWW:
https://vuxml.FreeBSD.org/freebsd/aeb2ca87-109d-11f0-8195-b42e991fc52e.html

  firefox -- authentication bypass
  CVE: CVE-2025-0245
  WWW:
https://vuxml.FreeBSD.org/freebsd/f7d80111-116c-11f0-8b2c-b42e991fc52e.html

  mozilla -- 64 bit JIT WASM read on left over memory
  CVE: CVE-2025-1933
  WWW:
https://vuxml.FreeBSD.org/freebsd/a93a1d2a-109d-11f0-8195-b42e991fc52e.html

  mozilla -- memory corruption
  CVE: CVE-2025-1934
  CVE: CVE-2025-1935
  CVE: CVE-2025-1938
  WWW:
https://vuxml.FreeBSD.org/freebsd/b31a4e74-109d-11f0-8195-b42e991fc52e.html

  mozilla -- memory corruption
  CVE: CVE-2025-1943
  WWW:
https://vuxml.FreeBSD.org/freebsd/37c368f1-10a2-11f0-8195-b42e991fc52e.html

  mozilla -- use-after-free in WebTransport connection
  CVE: CVE-2025-1931
  WWW:
https://vuxml.FreeBSD.org/freebsd/acf902f6-109d-11f0-8195-b42e991fc52e.html

6 problem(s) in 1 package(s) found.


I downloaded the "vuln.xml" file which has timestamp of 20250425-160021 UTC, 
SHA256 checksum of
653f29ab2775f15162dbb4c146dc3e00e7e33e6d5239d047399006f07bf4808c. "pkg audit -f
above/vuln.xml" lists the same issues.

-- 
You are receiving this mail because:
You are the assignee for the bug.