Postfix vulnarebility wrongly reported by pkg audit?
terje at elde.net
Sun May 10 09:07:04 UTC 2015
> On 10 May 2015, at 10:01, Marko Turk <markoml at markoturk.info> wrote:
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).
> Is my version also vulnerable or is there an issue with version check?
I looked into this yesterday myself, and I’m pretty sure this is just an issue with the version check.
There was a commit yesterday which changed wildcards to zeroes for several ports, including postfix:
The reason was that wildcards are not valid version-numbers, yet they do indeed seem valid for VuXML-version matching:
My guess is that this leads to the versjon-check logic throwing up your version of postfix as a false positive.
I fired off an email to the committer of the change, but no word yet. Just been a few hours though.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 524 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the freebsd-questions