pkg audit disagrees with pkg upgrade ???
edflecko .
edflecko at gmail.com
Wed May 7 14:51:23 UTC 2014
Great, thank you.
Is there a way to see what package(s) is specifically using these dependent
packages? I might choose to remove the host package, for security reasons,
and thereby remove these as well.
Ed
On Wed, May 7, 2014 at 12:21 AM, Arthur Chance <freebsd at qeng-ho.org> wrote:
> On 06/05/2014 21:27, edflecko . wrote:
>
>> I'm checking to see if I need to upgrade any installed packages. pkg audit
>> -F says I have three vulnerabilities, but when I run pkg upgrade -y, it
>> thinks everything is O.K. (see below)
>>
>> Why the discrepancy? Which one should I believe?
>>
>
> Apples and oranges. Just because a port has a vulnerability doesn't
> necessarily mean there's a newer version available yet.
>
> fbsd_box# pkg audit -F
>>
>> Vulnxml file up-to-date.
>> linux-f10-expat-2.0.1 is vulnerable:
>> expat2 -- Parser crash with specially formatted UTF-8 sequences
>> CVE: CVE-2009-3720
>> WWW: http://portaudit.FreeBSD.org/5f030587-e39a-11de-881e-
>> 001aa0166822.html
>>
>> linux-f10-png-1.2.37_2 is vulnerable:
>> png -- memory corruption/possible remote code execution
>> CVE: CVE-2011-3048
>> WWW: http://portaudit.FreeBSD.org/262b92fe-81c8-11e1-8899-
>> 001ec9578670.html
>>
>> linux-f10-tiff-3.8.2 is vulnerable:
>> tiff -- Multiple integer overflows
>> CVE: CVE-2009-2347
>> WWW: http://portaudit.FreeBSD.org/8816bf3a-7929-11df-bcce-
>> 0018f3e2eb82.html
>>
>> 3 problem(s) in the installed packages found.
>>
>> fbsd_box# pkg upgrade -y
>> Updating repository catalogue
>> Nothing to do
>>
>>
>> Ed
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-
>> unsubscribe at freebsd.org"
>>
>>
>
More information about the freebsd-questions
mailing list