portaudit thinks a vulnerability just disappeared

James Long list at museum.rain.com
Tue Oct 17 01:10:56 UTC 2006 

I have a 4.11-RELEASE system.

Prior to doing some minor portupdates, I had this portaudit report:

Checking for packages with security vulnerabilities:

Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>

Affected package: ruby-1.8.4_3,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>

Affected package: apache+mod_ssl-1.3.34+2.8.25_2
Type of problem: apache -- mod_rewrite buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html>

Affected package: mutt-1.4.2.1_2
Type of problem: mutt -- Remote Buffer Overflow Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/d2a43243-087b-11db-bc36-0008743bf21a.html>

5 problem(s) in your installed packages found.


I cvsup'ped my ports tree and portupgraded ruby, mutt and portaudit, 
but not any of their dependencies (since version number changes were 
minor).

portaudit -aF now thinks:

www : 17:59:17 /root# portaudit -aF
auditfile.tbz                                 100% of   38 kB  138 kBps
New database installed.
Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>

2 problem(s) in your installed packages found.


Why does portaudit think the apache+mod_ssl problem went away?  The 
installed version is still:

apache+mod_ssl-1.3.34+2.8.25_2 The Apache 1.3 webserver with SSL/TLS functionality


Thanks!

Jim

More information about the freebsd-questions mailing list