Is the automatic update, updating all packets with known vulnerabilities on the system?

Status
Not open for further replies.
N

Niels Erik

Dabbler
Joined
Aug 9, 2015
Messages
18
Hi

I have two FreeNAS systems on the ’FreeNAS 11-Stable’ train, updated to ’FreeNAS-11.0-U3’ a few days ago.
I only use the pkg manager to update my jails. (I know that I'm not supposed to use pkg on the host)
But when I audited the host system itself, it listed a number of vulnerable packets.
Both of my NAS boxes are updated to the newest stable version, but lists the same vulnerable packets.
Why? I expected the automatic system update to keep the system updated?
or it the pkg audit wrong about the status of my host systems? (jails are ok)

Code:
# pkg audit | grep vulnerable
apache24-2.4.25_1 is vulnerable:
oniguruma5-5.9.6_1 is vulnerable:
curl-7.52.1 is vulnerable:
libgcrypt-1.7.5 is vulnerable:
openvpn-2.3.12_1 is vulnerable:
py36-django110-1.10.3 is vulnerable:
icu-57.1,1 is vulnerable:
collectd5-5.7.1_6 is vulnerable:
graphite2-1.3.8 is vulnerable:
freetype2-2.6.3 is vulnerable:
nss-3.28 is vulnerable:
samba46-4.6.5_5 is vulnerable:
proftpd-1.3.5b is vulnerable:
openssl-1.0.2j_1,1 is vulnerable:
nginx-1.10.1_2,2 is vulnerable:
libevent2-2.0.22_1 is vulnerable:
sqlite3-3.14.1_1 is vulnerable:
gnutls-3.4.15 is vulnerable:
 
Last edited by a moderator:
D

dlavigne

Guest
Typically, pkgs are updated with new major versions but not with updates. If there is a specific vulnerability for a key pkg (such as Samba), a patched version of that pkg will be included in the update to address that vulnerability.
 
N

Niels Erik

Dabbler
Joined
Aug 9, 2015
Messages
18
dlavigne said:
Typically, pkgs are updated with new major versions but not with updates. If there is a specific vulnerability for a key pkg (such as Samba), a patched version of that pkg will be included in the update to address that vulnerability.
Click to expand...
Ok
Code:
 pkg audit
samba46-4.6.5_5 is vulnerable:
samba -- Orpheus Lyre mutual authentication validation bypass
CVE: CVE-2017-11103
WWW: https://vuxml.FreeBSD.org/freebsd/85851e4f-67d9-11e7-bc37-00505689d4ae.html
Affected packages
samba46 < 4.6.6
Code:
 smbd -V
Version 4.6.4-GIT-d1d80f3
How is this to be understood ?
Is this an vulnerable 4.6.4 patched with a commit on GitHub that fixes the flaw ?
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Is the automatic update, updating all packets with known vulnerabilities on the system?"

Similar threads

ghostwolf59
FreeNAS-11.2-U2 update stuffed up my system
Replies
5
Views
3K
Chris Moore
Chris Moore
happy-drummer
SOLVED FreeNAS 11.3U7 & MySQL + Apache24 + PHP72 + phpMyAdmin
Replies
11
Views
6K
happy-drummer
happy-drummer
Top