portaudit "forgot" 2006 vulnerabilities

Simon L. Nielsen simon at FreeBSD.org
Wed Jan 3 11:03:18 PST 2007

On 2007.01.03 19:32:58 +0100, Simon Barner wrote:
> David Taylor wrote:
> > Whilst catching up with the daily run and security run e-mails
> > >from the past few days, I noticed the portaudit database was restarted
> > at the beginning of the year.  Is this the expected behaviour?
> > 
> > Now I still have vulnerable ports (with problems from last year which,
> > until Monday, were faithfully reported to me every week), but get the
> > message:
> > 
> > # portaudit -Fa
> > auditfile.tbz                                 100% of 5693  B   27 kBps
> > New database installed.
> > 0 problem(s) in your installed packages found.
> Same here...

There is a bug in the portaudit database generator so when the VuXML
document is broken so it's not valid XML the portaudit database
generator just stops and produces an incomplete database file instead
of not updating the database... This should of course be fixed so it's
not a problem, but there are only so many hours in a day.

I fixed the VuXML file about an hour ago so database should be OK now
(of course you have to download a new one with -F if testing).

BTW. if people see this thing please poke secteam@ like barner@ did,
since I will see the problem much faster than mails to ports at .

Simon L. Nielsen
FreeBSD Security Team

More information about the freebsd-ports mailing list