Created attachment 156589 [details] snippet from vuln.xml This commit is apparently causing issues with pkg audit: # pkg audit -F vulnxml file up-to-date postfix-base-2.11.4,1 is vulnerable: Postfix -- memory corruption vulnerability CVE: CVE-2011-1720 WWW: http://vuxml.FreeBSD.org/freebsd/3eb2c100-738b-11e0-89f4-001e90d46635.html postfix-base-2.11.4,1 is vulnerable: postfix -- plaintext command injection with SMTP over TLS CVE: CVE-2011-0411 WWW: http://vuxml.FreeBSD.org/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c7.html Unless I'm reading the section of vuln.xml wrong, postfix/postfix-base v2.11.4,1 should not be affected by either entries (see pasted snippet). I've tested on 10.1 and 9.3 and pkg audit is reporting the same thing on both servers. I'm not sure if this is a bug with pkg audit itself, if it is please select the correct component/reassign this bug report as required.
I believe this is caused by removal of PORTEPOCH in lower bounds: - <range><ge>2.5.*,2</ge><lt>2.5.12,2</lt></range> ... + <range><ge>2.5.0</ge><lt>2.5.12,2</lt></range> This will match all postfix that have a PORTEPOCH of 1
A commit references this bug: Author: delphij Date: Sun May 10 08:28:44 UTC 2015 New revision: 385932 URL: https://svnweb.freebsd.org/changeset/ports/385932 Log: Correct version range. PR: 200089 Changes: head/security/vuxml/vuln.xml
Should have been fixed in 385932, sorry for that.
Thanks for fixing that, "Postfix -- memory corruption vulnerability" (CVE-2011-1720) is no longer showing up in pkg audit. Unfortunately the second entry has not been fixed: # pkg audit -F vulnxml file up-to-date postfix-base-2.11.4,1 is vulnerable: postfix -- plaintext command injection with SMTP over TLS CVE: CVE-2011-0411 WWW: http://vuxml.FreeBSD.org/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c7.html
Created attachment 156591 [details] second vuxml entry fix (In reply to Antoine Brodin from comment #1) It is a bit more tricky. In the past there where up to 5 postfix versions in the tree, during a repo copy in r242262 the PORTEPOCH for postfix25 was incremented from 1 -> 2. It seems there is an additional entry to fix in vuxml. @Xin Li would you mind to fix that entry also?
Unfortunately not all occurrences for postfix in vuln.xml have been fixed.
A commit references this bug: Author: ohauer Date: Sun May 10 12:12:32 UTC 2015 New revision: 385940 URL: https://svnweb.freebsd.org/changeset/ports/385940 Log: - fix a second postfix entry PR: 200089 (followup) Changes: head/security/vuxml/vuln.xml
The remaining postfix entry is fixed now and should be available in some minutes for download with `pkg audit -F`
(In reply to Olli Hauer from comment #8) Thanks!