Outdated warnings in daily security run

Erratus · Apr 14, 2013

How can I get rid of warnings in the daily security run output?
The ports were updated long ago, but the daily warnings are still on the old version of ports. Looks like these warnings come for eternity.

wblock@ · Apr 15, 2013

No, portaudit(1) looks at the currently-installed ports. What warnings do you see? How did you update?

throAU · Apr 15, 2013

As @wblock@ said, if you updated ports correctly, those warnings should not be there.

First thing I do after updating ports is to run portaudit to verify that they have been updated properly. You should run portaudit manually on your system to confirm for yourself that it isn't just the security emails being out of date.

If portaudit still reports issues, then your ports are not updated properly.

jalla · Apr 15, 2013

throAU said:
If portaudit still reports issues, then your ports are not updated properly.

Or the port itself has not been updated to fix the vulnerability. chromium-25.0.1364.172 for instance was reported more than a week ago, but that is still the current version in ports.

DutchDaemon · Apr 15, 2013

Then again, even with Chromium 25 installed, portaudit still warns about Chrome 24.

Code:

$ pkg info -x chrom
chromium-25.0.1364.172         Mostly BSD-licensed web browser based on WebKit and Gtk+

Code:

$ portaudit
Affected package: chromium-[B]24[/B].0.1312.57_1
Type of problem: chromium -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/bdd48858-9656-11e2-a9a8-00262d5ed8ee.html

Affected package: chromium-25.0.1364.172
Type of problem: chromium -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/bdd48858-9656-11e2-a9a8-00262d5ed8ee.html

Affected package: chromium-[B]24[/B].0.1312.57_1
Type of problem: chromium -- WebKit vulnerability.
Reference: http://portaudit.FreeBSD.org/54bed676-87ce-11e2-b528-00262d5ed8ee.html

Affected package: chromium-[B]24[/B].0.1312.57_1
Type of problem: chromium -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/40d5ab37-85f2-11e2-b528-00262d5ed8ee.html

Affected package: chromium-[B]24[/B].0.1312.57_1
Type of problem: chromium -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/dfd92cb2-7d48-11e2-ad48-00262d5ed8ee.html

DutchDaemon · Apr 15, 2013

And there's another one:

Code:

# pkg info -x nvidia-driver                                                                             
nvidia-driver-310.44           NVidia graphics card binary drivers for hardware OpenGL rendering

Code:

# portaudit
Affected package: nvidia-driver-304.64
Type of problem: NVIDIA UNIX driver -- ARGB cursor buffer overflow in  NoScanout  mode.
Reference: http://portaudit.FreeBSD.org/1431f2d6-a06e-11e2-b9e0-001636d274f3.html

Maybe a lazy string compare.

kpa · Apr 15, 2013

That's a problem with the UPDATING file syntax or more of a lack of it. The affects lines can match more installed ports than intended.

Erratus · Apr 15, 2013

Code:

# portaudit
0 problem(s) in your installed packages found.

I deinstalled a port which was in the daily vulnerabilities list. Next day it showed up again in the list.

Is it a problem with the mail?

Erratus · Apr 16, 2013

Erratus said:
Is it a problem with the mail?

Code:

# mailq -v
/var/spool/mqueue is empty
                Total requests: 0

Looks like mail is not the culprit.
What can I do to get some light in this mystery?

kpa · Apr 16, 2013

Post the mails you're getting or upload them to Pastebin and link here so we can take a look.

Erratus · Apr 16, 2013

Just deleted mbox. :\
But I saw, that the mails are generated freshly every day.

Erratus · Apr 17, 2013

As everday here is the "new" :\ security run output:

Code:

Checking for packages with security vulnerabilities:
ca_root_nss-3.13.6 is vulnerable:
mozilla -- multiple vulnerabilities

WWW: http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html

freetype2-2.4.9_1 is vulnerable:
freetype -- Multiple vulnerabilities

WWW: http://portaudit.FreeBSD.org/1ae613c3-5728-11e2-9483-14dae938ec40.html

libxml2-2.7.8_5 is vulnerable:
libxml2 -- cpu consumption Dos

WWW: http://portaudit.FreeBSD.org/843a4641-9816-11e2-9c51-080027019be0.html

openssl-1.0.1_4 is vulnerable:
OpenSSL -- TLS 1.1, 1.2 denial of service

WWW: http://portaudit.FreeBSD.org/00b0d8cd-7097-11e2-98d9-003067c2616f.html

perl-5.14.2_2 is vulnerable:
perl -- denial of service via algorithmic complexity attack on hashing routines

WWW: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html

php5-5.4.7 is vulnerable:
php5 -- Multiple vulnerabilities

WWW: http://portaudit.FreeBSD.org/1d23109a-9005-11e2-9602-d43d7e0c7c02.html

squid-3.1.21 is vulnerable:
squid -- denial of service

WWW: http://portaudit.FreeBSD.org/c37de843-488e-11e2-a5c9-0019996bc1f7.html

sudo-1.8.6.p3_1 is vulnerable:
sudo -- Potential bypass of tty_tickets constraints

WWW: http://portaudit.FreeBSD.org/82cfd919-8213-11e2-9273-902b343deec9.html

sudo-1.8.6.p3_1 is vulnerable:
sudo -- Authentication bypass when clock is reset

WWW: http://portaudit.FreeBSD.org/764344fb-8214-11e2-9273-902b343deec9.html

8 problem(s) in your installed packages found.

-- End of security output --

Output of [cmd=]pkg_version -v[/cmd] (edited for problem relevant ports)

Code:

#pkg_version -v
ca_root_nss-3.14.3                  =   up-to-date with port
freetype2-2.4.11                    =   up-to-date with port
libxml2-2.8.0_1                     =   up-to-date with port
perl-5.14.2_3                       =   up-to-date with port
php5-5.4.13                         =   up-to-date with port
squid-3.1.23                        =   up-to-date with port

As can be seen there are 9 warnings but only six ports are installed. The missing ones have been deinstalled.

And for completness:

Code:

# portaudit
0 problem(s) in your installed packages found.

I have really no cue what generates this security run output.

kpa · Apr 17, 2013

Have you used PKGNG at some point but reverted back to the old packages? Check if you have a /usr/local/etc/periodic/security/410.pkg-audit file in your system.

You can turn the check off with this setting in /etc/periodic.conf

Code:

daily_status_security_pkgaudit_enable="NO"

Savagedlight · Apr 17, 2013

Have you poked /var/log/messages to see if it has any relevant information?

Erratus · Apr 17, 2013

kpa said:
Have you used PKGNG at some point but reverted back to the old packages?

Hey! This is true!
I'm curious with what you come up now

kpa · Apr 17, 2013

I happened to remember that PKGNG has its own integrated audit tool and with the old packages you have to use ports-mgmt/portaudit. They don't use the same local auditfile either.

You could do this to make sure PKGNG does not interfere with your old format packages:
# mv /var/db/pkg/local.sqlite /var/db/pkg/local.sqlite.old

Erratus · Apr 17, 2013

Ok I moved /var/db/pkg/local.sqlite. Will report tomorrow about the outcome.

Erratus · Apr 18, 2013

The outdated security run output is gone. A new /var/db/pkg/local.sqlite has been created.

Thank you kpa!

Outdated warnings in daily security run

Erratus

wblock@

throAU

jalla

DutchDaemon

Administrator

DutchDaemon

Administrator

kpa

Erratus

Erratus

kpa

Erratus

Erratus

kpa

Savagedlight

Erratus

kpa

Erratus

Erratus