[Bug 249110] security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Sep 4 15:03:09 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249110
Bug ID: 249110
Summary: security/gnupg: 2.2.23 is incorrectly marked as
vulnerable by pkg audit
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: adamw at FreeBSD.org
Reporter: jjuanino at gmail.com
Flags: maintainer-feedback?(adamw at FreeBSD.org)
Assignee: adamw at FreeBSD.org
Hi, I have updated security/gnupg to 2.2.23 version to address CVE-2013-4576,
but the port is still considered vulnerable by pkg audit:
# pkg info -x gnupg
gnupg-2.2.23
# pkg audit gnupg-2.2.23
gnupg-2.2.23 is vulnerable:
gnupg -- AEAD key import overflow
CVE: CVE-2020-25125
WWW:
https://vuxml.FreeBSD.org/freebsd/f9fa7adc-ee51-11ea-a240-002590acae31.html
1 problem(s) in 1 installed package(s) found.
I have inspected the registered item in vuxml database and it seems to be fine:
<vuln vid="f9fa7adc-ee51-11ea-a240-002590acae31">
<topic>gnupg -- AEAD key import overflow</topic>
<affects>
<package>
<name>gnupg</name>
<range><ge>2.2.21</ge></range>
<range><lt>2.2.23</lt></range>
</package>
As you can see, 2.2.23 is out of the range, and therefore 2.2.23 is not
vulnerable.
Am I doing something wrong or misunderstanding something?
Regards
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list