[Bug 251790] security/base-audit: incorrectly reports that 12.2p2 is vuln
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Dec 15 08:46:34 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251790
--- Comment #7 from Miroslav Lachman <000.fbsd at quip.cz> ---
(In reply to Philip Paeps from comment #6)
Thank you for your explanation. This fixed the problem.
Before:
# pkg audit FreeBSD-12.2_2
FreeBSD-12.2_2 is vulnerable:
OpenSSL -- NULL pointer de-reference
CVE: CVE-2020-1971
WWW:
https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html
1 problem(s) in 1 installed package(s) found.
After:
# pkg audit -F FreeBSD-12.2_2
Fetching vuln.xml.bz2: 100% 898 KiB 919.5kB/s 00:01
0 problem(s) in 0 installed package(s) found.
But what can we do with it for a next time?
a) teach pkg audit to compare only the same version branches?
b) always put entry in some virtual range like 11.4 < 11.99?
Both has pros and cons. Sometimes we can have vulnerabilities in more than one
branch which can be covered by entry "anything higher then 11.4". If we choose
a) then we need to always add ranges for all supported branches.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list