pkg repositories out of alignment (was: Re: bash velnerability)
Paul Hoffman
paul.hoffman at vpnc.org
Fri Sep 26 15:25:23 UTC 2014
Just a note that the pkg repo for 10 seems to be far advanced over that for 9.3. That is, the bash fix appeared in the 10 repo yesterday (or earlier), but it still not in the 9.3 repo. Here's what I'm seeing on a 9.3 box right now:
# sudo pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
# sudo pkg audit
bash-4.3.24 is vulnerable:
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html
1 problem(s) in the installed packages found.
# sudo pkg upgrade bash
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
I appreciate the speed that folks update the packages; I'm a bit distressed that 9.3 seems to be a second-class citizen for security fixes. (And I totally admit that I could be misreading the situation.)
--Paul Hoffman
More information about the freebsd-security
mailing list