Postfix vulnarebility wrongly reported by pkg audit?

Terje Elde terje at
Sun May 10 09:07:04 UTC 2015

> On 10 May 2015, at 10:01, Marko Turk <markoml at> wrote:
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).
> Is my version also vulnerable or is there an issue with version check?

I looked into this yesterday myself, and I’m pretty sure this is just an issue with the version check.

There was a commit yesterday which changed wildcards to zeroes for several ports, including postfix:

The reason was that wildcards are not valid version-numbers, yet they do indeed seem valid for VuXML-version matching:

My guess is that this leads to the versjon-check logic throwing up your version of postfix as a false positive.

I fired off an email to the committer of the change, but no word yet.  Just been a few hours though.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 524 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the freebsd-questions mailing list