pkg audit systemwide vs pkg audit packagewise

Christoph Pilka c.pilka at asconix.com
Tue May 3 08:48:18 UTC 2016


Hi,

I have a sort of weird behaviour when it comes to pkg audits. Same system:

#~ pkg audit -F

tells me:

	Fetching vuln.xml.bz2: 100%  595 KiB 609.6kB/s    00:01    
	0 problem(s) in the installed packages found.

but running pkg audit for a specific package, e.g. bash:

#~ pkg audit -F bash

tells me:

	Fetching vuln.xml.bz2: 100%  595 KiB 609.6kB/s    00:01    
	bash is vulnerable:	
	Affected versions:
	< 4.3.25_2
	bash -- remote code execution
	CVE: CVE-2014-6278
	CVE: CVE-2014-6277
	WWW: https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html

	bash is vulnerable:
	Affected versions:
	< 4.3.27_1
	bash -- out-of-bounds memory access in parser
	CVE: CVE-2014-7187
	CVE: CVE-2014-7186
	WWW: https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html

	bash is vulnerable:
	Affected versions:
	> 4.3 : < 4.3.25_1
	> 4.2 : <= 4.2.48
	> 4.1 : <= 4.1.12
	> 4.0 : <= 4.0.39
	> 3.2 : <= 3.2.52
	> 3.1 : <= 3.1.18
	> 3.0 : <= 3.0.17
	bash -- remote code execution vulnerability
	CVE: CVE-2014-7169
	CVE: CVE-2014-6271
	WWW: https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html

	1 problem(s) in the installed packages found.

That's confusing, especially because no one of the version numbers in the CVE's listed above does actually match the version of bash that is installed on the system:

#~ pkg info bash | grep ^Version

	Version        : 4.3.42_1

Am I doing something wrong or is it actually a bug?

Cheerio,
Chris


More information about the freebsd-questions mailing list