[Bug 251790] security/base-audit: incorrectly reports that 12.2p2 is vuln
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Dec 12 19:45:38 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251790
--- Comment #2 from Miroslav Lachman <000.fbsd at quip.cz> ---
If there is some problem then I think it is not in base-audit but in "pkg
audit" or vuln.xml
I just checked the commands called by base-audit script:
% pkg audit FreeBSD-kernel-12.2_1
0 problem(s) in 0 installed package(s) found.
% pkg audit FreeBSD-kernel-12.2_2
0 problem(s) in 0 installed package(s) found.
% pkg audit FreeBSD-12.2_1
FreeBSD-12.2_1 is vulnerable:
OpenSSL -- NULL pointer de-reference
CVE: CVE-2020-1971
WWW:
https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html
1 problem(s) in 1 installed package(s) found.
% pkg audit FreeBSD-12.2_2
FreeBSD-12.2_2 is vulnerable:
OpenSSL -- NULL pointer de-reference
CVE: CVE-2020-1971
WWW:
https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html
1 problem(s) in 1 installed package(s) found.
So "pkg audit" reports both userland versions as vulnerable and both Kernel
versions as fixed.
For the record - kernel version does not matter when base-audit checks jails
because it is not used in this check. base-audit script extracts the jails
userland version by this command:
jexec $jid freebsd-version -u
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list