pkg audit systemwide vs pkg audit packagewise
Christoph Pilka
c.pilka at asconix.com
Tue May 3 08:48:18 UTC 2016
Hi,
I have a sort of weird behaviour when it comes to pkg audits. Same system:
#~ pkg audit -F
tells me:
Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
0 problem(s) in the installed packages found.
but running pkg audit for a specific package, e.g. bash:
#~ pkg audit -F bash
tells me:
Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
bash is vulnerable:
Affected versions:
< 4.3.25_2
bash -- remote code execution
CVE: CVE-2014-6278
CVE: CVE-2014-6277
WWW: https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html
bash is vulnerable:
Affected versions:
< 4.3.27_1
bash -- out-of-bounds memory access in parser
CVE: CVE-2014-7187
CVE: CVE-2014-7186
WWW: https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html
bash is vulnerable:
Affected versions:
> 4.3 : < 4.3.25_1
> 4.2 : <= 4.2.48
> 4.1 : <= 4.1.12
> 4.0 : <= 4.0.39
> 3.2 : <= 3.2.52
> 3.1 : <= 3.1.18
> 3.0 : <= 3.0.17
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html
1 problem(s) in the installed packages found.
That's confusing, especially because no one of the version numbers in the CVE's listed above does actually match the version of bash that is installed on the system:
#~ pkg info bash | grep ^Version
Version : 4.3.42_1
Am I doing something wrong or is it actually a bug?
Cheerio,
Chris
More information about the freebsd-questions
mailing list