using pkg audit to show base vulnerabilities

Mark Felder feld at
Thu Sep 8 00:21:27 UTC 2016

On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote:
> Just a thought, once we move to PkgBase, will this simply work work "pkg
> audit"?

Yes, that's the plan as I know it.

> Are the new vuxml entries in the correct format to detect for individual
> base packages?
> E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development

The current format is irrelevant as the vulnerabilities will not apply
to a FreeBSD release that has pkg base. This is just a stopgap that has
been hacked up. I also do not know what the base package names will be
yet as I haven't played around with it, but we will be ensuring that
vuxml entries are correctly added once pkg base is finalized. It will be
possible to add entries that match for both older FreeBSD releases and
new pkg base releases.

> Are the new vuxml entries in a format that would support PkgBase for
> releases as well as for stable/current?
> E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939

I don't know if it will be possible to match for stable/current users.
Depends on the versioning scheme.

  Mark Felder
  ports-secteam member
  feld at

More information about the freebsd-security mailing list