Skip to content

Instantly share code, notes, and snippets.

@dlangille

dlangille/pkg audit

Created January 21, 2015 17:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dlangille/dbcddca8c91626e801a7 to your computer and use it in GitHub Desktop.
Save dlangille/dbcddca8c91626e801a7 to your computer and use it in GitHub Desktop.
Download ZIP
old pkg and new pkg give different results for pkg audit
Raw
pkg audit
$ sudo pkg info -r libevent
libevent-1.4.14b_3:
tmux-1.9.a_1
$ sudo pkg audit -F
Vulnxml file up-to-date.
libevent-1.4.14b_3 is vulnerable:
libevent -- integer overflow in evbuffers
CVE: CVE-2014-6272
WWW: http://portaudit.FreeBSD.org/daa8a49b-99b9-11e4-8f66-3085a9a4510d.html
1 problem(s) in the installed packages found.
$ sudo pkg upgrade
Updating repository catalogue
New version of pkg detected; it needs to be installed first.
Upgrades have been requested for the following 1 packages:
Upgrading pkg: 1.2.7_4 -> 1.3.8_1 [vrt]
The upgrade will require 1 MB more space
2 MB to be downloaded
Proceed with upgrading packages [y/N]: y
pkg-1.3.8_1.txz 100% 1992KB 2.0MB/s 2.0MB/s 00:00
Checking integrity... done
[1/1] Upgrading pkg from 1.2.7_4 to 1.3.8_1... done
If you are upgrading from the old package format, first run:
# pkg2ng
Updating vrt repository catalogue...
pkg: Repo "vrt" upgrade schema 2006 to 2007: Add conflicts and provides
pkg: Repo "vrt" upgrade schema 2007 to 2008: Add FTS index
pkg: Repo "vrt" upgrade schema 2008 to 2009: Optimize indicies
pkg: Repo "vrt" upgrade schema 2009 to 2010: Add legacy digest field
vrt repository is up-to-date.
All repositories are up-to-date.
Updating database digests format: 100%
Checking for upgrades (37 candidates): 100%
The following 33 packages will be affected (of 0 checked):
New packages to be INSTALLED:
libevent2: 2.0.22
indexinfo: 0.2
nano: 2.2.6
Installed packages to be UPGRADED:
zsh: 5.0.5 -> 5.0.6_1
libiconv: 1.14_3 -> 1.14_4
python27: 2.7.6_4 -> 2.7.8_5
glib: 2.36.3_2 -> 2.36.3_4
perl5: 5.16.3_9 -> 5.16.3_11
vrtbase: 1.1_1 -> 1.2
tmux: 1.9.a_1 -> 1.9.a_2
screen: 4.2.1_1 -> 4.2.1_3
msktutil: 0.5.1_1 -> 0.5.1_2
openldap-sasl-client: 2.4.39 -> 2.4.39_2
cyrus-sasl: 2.1.26_7 -> 2.1.26_9
sudo: 1.8.10.p3 -> 1.8.10.p3_1
nss-pam-ldapd-sasl: 0.8.14 -> 0.8.14_2
cfengine33: 3.3.8_5 -> 3.3.8_6
pcre: 8.34_1 -> 8.35
tshark: 1.10.7 -> 1.12.1_1
GeoIP: 1.4.8_3 -> 1.6.2_1
libsmi: 0.4.8 -> 0.4.8_1
adns: 1.4_1 -> 1.4_2
libffi: 3.0.13_1 -> 3.0.13_2
postfix: 2.11.1,1 -> 2.11.1_4,1
bash: 4.3.11_2 -> 4.3.30
ca_root_nss: 3.16 -> 3.17.1
rsync: 3.1.0_3 -> 3.1.1_3
net-snmp: 5.7.2_9 -> 5.7.2_16
vim-lite: 7.4.295 -> 7.4.430
pfqueue: 0.5.6 -> 0.5.6_1
openbsm-devel: 1.2.a3_2 -> 1.2.a3_5
Installed packages to be REINSTALLED:
gettext-0.18.3.1_1 (direct dependency changed)
tokyocabinet-1.4.48 (needed shared library changed)
The process will require 717 kB more space.
62 MB to be downloaded.
Proceed with this action? [y/N]: n
$ sudo pkg audit
bash-4.3.11_2 is vulnerable:
bash -- out-of-bounds memory access in parser
CVE: CVE-2014-7187
CVE: CVE-2014-7186
WWW: http://portaudit.FreeBSD.org/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html
bash-4.3.11_2 is vulnerable:
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html
bash-4.3.11_2 is vulnerable:
bash -- remote code execution
CVE: CVE-2014-6278
CVE: CVE-2014-6277
WWW: http://portaudit.FreeBSD.org/512d1301-49b9-11e4-ae2c-c80aa9043978.html
libevent-1.4.14b_3 is vulnerable:
libevent -- integer overflow in evbuffers
CVE: CVE-2014-6272
WWW: http://portaudit.FreeBSD.org/daa8a49b-99b9-11e4-8f66-3085a9a4510d.html
2 problem(s) in the installed packages found.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment