# security/openssl has know vulnerabilities?



## derekschrock (Jan 22, 2012)

Why does the current security/openssl report with known vulnerabilities?

From the following URL http://portaudit.freebsd.org/5c5f19ce-43af-11e1-89b4-001ec9578670.html


```
Affects:
    * openssl <1.0.0_9
```


then http://www.openssl.org/news/secadv_20120118.txt


```
Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t.
```

As of 01/22 6:02 EST security/openssl is downloading 1.0.0g from distinfo:

```
SHA256 (openssl-1.0.0g/openssl-1.0.0g.tar.gz) = 905106a1505e7d9f7c36ee81408d3aa3d41aac291a9603d0c290c9530c92fc2c
```

Is distinfo not a valid method to figure out what version the port uses or should the portaudit auditfile be "openssl<1.0.0_9" not "openssl<1.0.0g"?


----------



## gessel (Jan 23, 2012)

Try updating the portaudit database

```
# portaudit -F
```


----------



## derekschrock (Jan 23, 2012)

Yeah, last nights nightly portaudit run updated the db file.  Looks like the line was changed to 1.0.0_9 from 1.0.0g.  I can now update openssl without bsd.ports.mk stopping the build.


----------

