portaudit warns about an already fixed vulnerability. See theese threads: http://lists.freebsd.org/pipermail/freebsd-audit/2004-September/000072.html http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002289.html How-To-Repeat: portaudit -Fa
Should this be this way?: --------------------------------------------------8<---------- dxlvi ~# date Tue Oct 5 16:04:57 CEST 2004 dxlvi ~# uname -a FreeBSD dxlvi.chello.hu 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Tue Oct 5 10:52:20 CEST 2004 root@dxlvi.chello.hu:/usr/obj/usr/src/sys/DXLVI i386 dxlvi ~# cvs --version Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server) Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn, Jeff Polk, and other authors CVS may be copied only under the terms of the GNU General Public License, a copy of which can be found with the CVS distribution kit. Specify the --help option for further information about CVS dxlvi ~# portaudit -Fa Receiving auditfile.tbz (12646 bytes): 100% 12646 bytes transferred in 0.7 seconds (17.65 kBps) New database installed. Affected package: FreeBSD-502010 Type of problem: multiple vulnerabilities in the cvs server code. Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html> Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in your installed packages found. --------------------------------------------------8<---------- From http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html: References: * CVE name CAN-2004-0414 * CVE name CAN-2004-0416 * CVE name CAN-2004-0417 * CVE name CAN-2004-0418 * CVE name CAN-2004-0778 [...] Affects: * cvs+ipv6 <1.11.17 * FreeBSD <491101 * FreeBSD >=500000 <502114 --------------------------------------------------8<---------- From ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc: Topic: CVS Category: contrib Module: cvs Announced: 2004-09-19 Credits: Stefan Esser, Sebastian Krahmer, Derek Price iDEFENSE Affects: All FreeBSD versions Corrected: 2004-06-29 16:10:50 UTC (RELENG_4) 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3) 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12) 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25) 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10) CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778 --------------------------------------------------8<---------- So, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 and CAN-2004-0778 are: * Fixed in 5.2.1-RELEASE-p10 * Reported as unfixed on an 5.2.1-RELEASE-p11 system * Reportes as fixed in "502114" (?) in the URL portaudit gives * Reported by portaudit as affecting "502010" Hope it helps... <kerochan2@gmail.com>
Responsible Changed From-To: freebsd-bugs->eik Over to maintainer.
I'd like to add to the audit trail that this problem affects 4.x versions, too. In particular, portaudit tells the following on my 4.10-RELEASE-p3 system: Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html> Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf I hope this can help to spot the problem. -- Yar
Responsible Changed From-To: eik->simon Grap portaudit PR with new portaudit maintainer hat.
State Changed From-To: open->suspended To make this functionality really work we need a better versioning of security updates, which the Security Team is looking at. Untill that is resolved portaudit can't really do that much useful wrt. the base system vulnerabilities, so suspend the PR for now.
Responsible Changed From-To: simon->freebsd-bugs Send PRs which I'm unlikely to look at back to the pool.