Postfix vulnarebility wrongly reported by pkg audit?
Terje Elde
terje at elde.net
Sun May 10 09:07:04 UTC 2015
> On 10 May 2015, at 10:01, Marko Turk <markoml at markoturk.info> wrote:
>
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).
>
> Is my version also vulnerable or is there an issue with version check?
I looked into this yesterday myself, and I’m pretty sure this is just an issue with the version check.
There was a commit yesterday which changed wildcards to zeroes for several ports, including postfix:
https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=385815&r2=385864
The reason was that wildcards are not valid version-numbers, yet they do indeed seem valid for VuXML-version matching:
https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html
My guess is that this leads to the versjon-check logic throwing up your version of postfix as a false positive.
I fired off an email to the committer of the change, but no word yet. Just been a few hours though.
Terje
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 524 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150510/1c3228b0/attachment.sig>
More information about the freebsd-questions
mailing list