Freebsd: pkg audit spread out in time over different servers

Question

We have several Freebsd servers, where we check daily for vulnerabilities with pkg audit.

Question: Very often, the same vulnerability is reported in some servers only, and then in some others the next day. The question is: why is that?

More info:

1. The servers are mostly identical: same version, same installed software and doing the same duties.

2. I've tried logging in to the servers which did not report the vulnerability:

portsnap fetch update then pkg audit give 0 problem(s) in the installed packages found.
portmaster <packagename> tries to reinstall the vulnerable package rather than upgrade it.

3. uname -a on two different servers:

FreeBSD host1.domain.com 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #14: Wed Apr 12 08:59:21 CEST 2017     admin@host1.domain.com:/usr/obj/usr/src/sys/MYKERNEL  i386
FreeBSD host2.domain.org 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #9: Fri Feb 24 13:30:09 CET 2017     root@host2.domain.3b:/usr/obj/usr/src/sys/MYKERNEL  i386

4. In all cases, portsnap fetch update downloads form the same mirror:

Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org

5. Example of vulnerabilities found by pkg audit:

curl-7.54.1 is vulnerable:
cURL -- multiple vulnerabilities
CVE: CVE-2017-1000101
CVE: CVE-2017-1000100
CVE: CVE-2017-1000099
WWW: https://vuxml.FreeBSD.org/freebsd/69cfa386-7cd0-11e7-867f-b499baebfeaf.html

sqlite3-3.19.3_1 is vulnerable:
sqlite3 -- heap-buffer overflow
CVE: CVE-2017-10989
WWW: https://vuxml.FreeBSD.org/freebsd/9245681c-7c3c-11e7-b5af-a4badb2f4699.html

6. All servers are in the same location and share the same direct Internet connection. No proxy.

Clément Moulin - SimpleRezo · Accepted Answer · 2017-08-11T15:29:08.707

2

Could you confirm that you are using pkg audit -F:

 -F, --fetch
        Fetch the database before checking.

Beside that, if servers are not in the same locations, it's also possible that:

some servers are using a proxy caching the database file
servers are not using the same VulnXML mirror (vuxml.freebsd.org is automatically redirected to closest mirror)

edited Aug 11 '17 at 15:29

answered Aug 11 '17 at 11:45

Clément Moulin - SimpleRezo

239
1
9

I bet you mean `pkg audit -F`. I'll try adding the `-F` switch and see what happens. All servers are in the same location and share the same Internet connection without using a proxy. – simlev Aug 11 '17 at 12:35
It seems this is it: running `pkg audit -F` against all servers helped discover an as of yet unreported vulnerability that had been patched everywhere else but on that server. – simlev Aug 11 '17 at 13:13
`pkg audit -F` indeed, answer fixed :) – Clément Moulin - SimpleRezo Aug 11 '17 at 15:29

Freebsd: pkg audit spread out in time over different servers

1 Answers1