What's up with audit-packages?

To: tech-pkg%netbsd.org@localhost
Subject: What's up with audit-packages?
From: Neil Booth <neil%daikokuya.co.uk@localhost>
Date: Thu, 20 Mar 2008 13:22:44 +0900

I've have two audit-packages on my system; on in /usr/sbin and one
in /usr/pkg/sbin.

For some time now they've been giving different, disjoint (!) answers:

$ /usr/pkg/sbin/audit-packages
Package sun-jre15-5.0.10nb1 has a local-file-write vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see
http://secunia.com/advisories/17478/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
Package thunderbird-2.0.0.9 has a heap-overflow vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
Package thunderbird-2.0.0.9 has a remote-user-shell vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
Package thunderbird-2.0.0.9 has a remote-user-shell vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
Package thunderbird-2.0.0.9 has a directory-traversal vulnerability, see
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
Package dbus-1.0.2nb2 has a security-bypass vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0595
Package sun-jre15-5.0.10nb1 has a unknown vulnerability, see
http://secunia.com/advisories/29239/

$ /usr/sbin/audit-packages
Package mplayer-1.0rc10nb2 has a remote-code-execution vulnerability,
see: http://www.mplayerhq.hu/homepage/design6/news.html
Package sun-jre15-5.0.10nb1 has a local-file-write vulnerability, see:
http://secunia.com/advisories/14902/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see:
http://secunia.com/advisories/17478/
Package sun-jre15-5.0.10nb1 has a denial-of-service vulnerability, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426

So the latter sees an mplayer and 3 sun-jre15 issues, but the former
sees thunderbird, dbus and 4 sun-jre15 issues, but nothing for mplayer.

Why do I need to run both to get a full list?

Also, when building any package I get:

===> Skipping vulnerability checks.
WARNING: No Unknown option -Q
Usage: audit-packages [-dv] [-K pkg_dbdir] [-p package]
    -d : Run download-vulnerability-list before anything else.
    -K : Use pkg_dbdir as PKG_DBDIR.
    -p : Check a specific package for vulnerabilities.
    -v : Verbose mode/pkg-vulnerabilities file found.
WARNING: To fix run: `/usr/pkg/sbin/download-vulnerability-list'.

This is a fairly up-to-date Current system.

Neil.

Follow-Ups:
- Re: What's up with audit-packages?
  - From: Adrian Portelli

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: What's up with audit-packages?
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: What's up with audit-packages?
Indexes:

Home | Main Index | Thread Index | Old Index