pkg audit and freshport missmatch

[gnath]

After upgrading my packages today I have found

pkg audit -F
Fetching vuln.xml.bz2: 100%  711 KiB 242.8kB/s    00:03   
libsndfile-1.0.28_1 is vulnerable:
libsndfile -- out-of-bounds reads
CVE: CVE-2017-17457
CVE: CVE-2017-17456
CVE: CVE-2017-14246
CVE: CVE-2017-14245
WWW: https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html
1 problem(s) in the installed packages found.

But my system has

pkg inf libsndfile
libsndfile-1.0.28_1
Name           : libsndfile
Version        : 1.0.28_1
Installed on   : Mon Mar  5 18:08:25 2018 IST

Freshports also has reported same version and no issue after mar' 01.
Are these all new CVE or I have some stale files. I have used pkg clean also.

 

[talsamon]

Freshport lists audio/libsndfile under "latest vulnerabilities". Pkg info does not show vulnerabilities.

 

[gnath]

Package libsndfile was last updated on 06 mar' to latest version but
https://www.vuxml.org/freebsd/004debf9-1d16-11e8-b6aa-4ccc6adda413.html
shows no vulnerability for this version. This means still exists as per freshports.

Freshport lists audio/libsndfile under "latest vulnerabilities"

 

[talsamon]

It was not a new version, only patches. But 1.0.29 has still vulnerabilities
https://www.cvedetails.com/vulnerab...259/Libsndfile-Project-Libsndfile-1.0.29.html

 

[SirDice]

Look at the VuXML URL, any version below 1.0.29 is vulnerable, this includes 1.0.28_1 and 1.0.29pre1 (prerelease version).

 

[talsamon]

Thanks, you are right.