[Bug 251790] security/base-audit: incorrectly reports that 12.2p2 is vuln

Sat Dec 12 17:19:23 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251790

            Bug ID: 251790
           Summary: security/base-audit: incorrectly reports that 12.2p2
                    is vuln
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: dvl at FreeBSD.org
                CC: 000.fbsd at quip.cz
                CC: 000.fbsd at quip.cz
             Flags: maintainer-feedback?(000.fbsd at quip.cz)

This is base-audit-0.4 on FreeBSD 12.2 - but it affects other FreeBSD versions
as well.

This is partly related to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878

When kernel and userland do not match, false positives result.  Case in point,
this host is:

$ freebsd-version -u -k
12.2-RELEASE-p1
12.2-RELEASE-p2
$ 

When running the script:

[dan at tallboy:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit 

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Sat Dec 12 16:51:55 UTC 2020
0 problem(s) in 0 installed package(s) found.
FreeBSD-12.2_2 is vulnerable:
OpenSSL -- NULL pointer de-reference
CVE: CVE-2020-1971
WWW:
https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html

1 problem(s) in 1 installed package(s) found.

This false positive also arise from jails.

-- 
You are receiving this mail because:
You are the assignee for the bug.