pkg audit disagrees with pkg upgrade ???
freebsd at qeng-ho.org
Wed May 7 07:27:44 UTC 2014
On 06/05/2014 21:27, edflecko . wrote:
> I'm checking to see if I need to upgrade any installed packages. pkg audit
> -F says I have three vulnerabilities, but when I run pkg upgrade -y, it
> thinks everything is O.K. (see below)
> Why the discrepancy? Which one should I believe?
Apples and oranges. Just because a port has a vulnerability doesn't
necessarily mean there's a newer version available yet.
> fbsd_box# pkg audit -F
> Vulnxml file up-to-date.
> linux-f10-expat-2.0.1 is vulnerable:
> expat2 -- Parser crash with specially formatted UTF-8 sequences
> CVE: CVE-2009-3720
> WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e-001aa0166822.html
> linux-f10-png-1.2.37_2 is vulnerable:
> png -- memory corruption/possible remote code execution
> CVE: CVE-2011-3048
> WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899-001ec9578670.html
> linux-f10-tiff-3.8.2 is vulnerable:
> tiff -- Multiple integer overflows
> CVE: CVE-2009-2347
> WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce-0018f3e2eb82.html
> 3 problem(s) in the installed packages found.
> fbsd_box# pkg upgrade -y
> Updating repository catalogue
> Nothing to do
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions