# pkg audit -F FreeBSD-kernel-13.1_6 Fetching vuln.xml.xz: 100% 996 KiB 1.0MB/s 00:01 0 problem(s) in 0 installed package(s) found. # pkg audit FreeBSD-13.1_6 0 problem(s) in 0 installed package(s) found. There should be an information about CVE-2023-0286, CVE-2023-0215, CVE-2022-4450 and CVE-2022-4304 at least. Also periodic security (405.pkg-base-audit) reports are incomplete because of the bug. Reference: https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc
PkgBase, yes?
No, why?
The audit of both kernel and base is working regardless of PkgBase. The last entries for both kernel and base are dated August 2022: https://vuxml.freebsd.org/freebsd/pkg-FreeBSD-kernel.html https://vuxml.freebsd.org/freebsd/pkg-FreeBSD.html
(In reply to Graham Perrin from comment #1) pkg audit works for base (kernel + world) for more than 6 years. It was originally created by Mark Felder. Then I created a port for periodic script https://www.freshports.org/security/base-audit/ which is now deleted as this functionality is included in pkg for about year. https://lists.freebsd.org/pipermail/freebsd-security/2016-August/009049.html But Security Officer Team must publish SAs to VuXML. It will not work without entries in database. I think this PR should be assigned to Security Team, because maintainer of ports-mgmt/pkg cannot do anything about it.
This should be fixed, because without it periodic output is not very revelant about security risks...
It the concerns first appeared in 2019: https://forums.freebsd.org/threads/pkg-audit-vuln-xml-no-more-updates-for-base-system-and-kernel.71239/
*It seems Sorry, I typed that comment and didn't mean to add it.
I'm suggesting updating this PR: "Product" => "Security" "Component" => "Base System" And maybe "Assignee" too.
Vulnerabilities 2024-09-19 are also missed.
I still don't understand internal processes of publishing new SA. How is it even possible that records are so often missing in VuXML?