tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
What's up with audit-packages?
I've have two audit-packages on my system; on in /usr/sbin and one
in /usr/pkg/sbin.
For some time now they've been giving different, disjoint (!) answers:
$ /usr/pkg/sbin/audit-packages
Package sun-jre15-5.0.10nb1 has a local-file-write vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see
http://secunia.com/advisories/17478/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
Package thunderbird-2.0.0.9 has a heap-overflow vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
Package thunderbird-2.0.0.9 has a remote-user-shell vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
Package thunderbird-2.0.0.9 has a remote-user-shell vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
Package thunderbird-2.0.0.9 has a directory-traversal vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
Package dbus-1.0.2nb2 has a security-bypass vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0595
Package sun-jre15-5.0.10nb1 has a unknown vulnerability, see
http://secunia.com/advisories/29239/
$ /usr/sbin/audit-packages
Package mplayer-1.0rc10nb2 has a remote-code-execution vulnerability,
see: http://www.mplayerhq.hu/homepage/design6/news.html
Package sun-jre15-5.0.10nb1 has a local-file-write vulnerability, see:
http://secunia.com/advisories/14902/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see:
http://secunia.com/advisories/17478/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
So the latter sees an mplayer and 3 sun-jre15 issues, but the former
sees thunderbird, dbus and 4 sun-jre15 issues, but nothing for mplayer.
Why do I need to run both to get a full list?
Also, when building any package I get:
===> Skipping vulnerability checks.
WARNING: No Unknown option -Q
Usage: audit-packages [-dv] [-K pkg_dbdir] [-p package]
-d : Run download-vulnerability-list before anything else.
-K : Use pkg_dbdir as PKG_DBDIR.
-p : Check a specific package for vulnerabilities.
-v : Verbose mode/pkg-vulnerabilities file found.
WARNING: To fix run: `/usr/pkg/sbin/download-vulnerability-list'.
This is a fairly up-to-date Current system.
Neil.
Home |
Main Index |
Thread Index |
Old Index