pkg audit disagrees with pkg upgrade ???
edflecko at gmail.com
Wed May 7 14:51:23 UTC 2014
Great, thank you.
Is there a way to see what package(s) is specifically using these dependent
packages? I might choose to remove the host package, for security reasons,
and thereby remove these as well.
On Wed, May 7, 2014 at 12:21 AM, Arthur Chance <freebsd at qeng-ho.org> wrote:
> On 06/05/2014 21:27, edflecko . wrote:
>> I'm checking to see if I need to upgrade any installed packages. pkg audit
>> -F says I have three vulnerabilities, but when I run pkg upgrade -y, it
>> thinks everything is O.K. (see below)
>> Why the discrepancy? Which one should I believe?
> Apples and oranges. Just because a port has a vulnerability doesn't
> necessarily mean there's a newer version available yet.
> fbsd_box# pkg audit -F
>> Vulnxml file up-to-date.
>> linux-f10-expat-2.0.1 is vulnerable:
>> expat2 -- Parser crash with specially formatted UTF-8 sequences
>> CVE: CVE-2009-3720
>> WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e-
>> linux-f10-png-1.2.37_2 is vulnerable:
>> png -- memory corruption/possible remote code execution
>> CVE: CVE-2011-3048
>> WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899-
>> linux-f10-tiff-3.8.2 is vulnerable:
>> tiff -- Multiple integer overflows
>> CVE: CVE-2009-2347
>> WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce-
>> 3 problem(s) in the installed packages found.
>> fbsd_box# pkg upgrade -y
>> Updating repository catalogue
>> Nothing to do
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to "freebsd-questions-
>> unsubscribe at freebsd.org"
More information about the freebsd-questions