# pkg audit and freshport missmatch



## gnath (Mar 11, 2018)

After upgrading my  packages today I have found

```
pkg audit -F
Fetching vuln.xml.bz2: 100%  711 KiB 242.8kB/s    00:03   
libsndfile-1.0.28_1 is vulnerable:
libsndfile -- out-of-bounds reads
CVE: CVE-2017-17457
CVE: CVE-2017-17456
CVE: CVE-2017-14246
CVE: CVE-2017-14245
WWW: https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html
1 problem(s) in the installed packages found.
```
But my system has

```
pkg inf libsndfile
libsndfile-1.0.28_1
Name           : libsndfile
Version        : 1.0.28_1
Installed on   : Mon Mar  5 18:08:25 2018 IST
```
Freshports also has reported same version and no issue after mar' 01.
Are these all new CVE  or I have some stale files. I have used `pkg clean` also.


----------



## talsamon (Mar 11, 2018)

Freshport lists audio/libsndfile  under "latest vulnerabilities". `Pkg info` does not show vulnerabilities.


----------



## gnath (Mar 11, 2018)

Package `libsndfile` was last updated on 06 mar' to latest version but 
https://www.vuxml.org/freebsd/004debf9-1d16-11e8-b6aa-4ccc6adda413.html 
shows no vulnerability for this version.  This means still exists as per freshports.


talsamon said:


> Freshport lists audio/libsndfile under "latest vulnerabilities"


----------



## talsamon (Mar 11, 2018)

It was not a new version, only patches. But 1.0.29 has still vulnerabilities
https://www.cvedetails.com/vulnerab...259/Libsndfile-Project-Libsndfile-1.0.29.html


----------



## SirDice (Mar 12, 2018)

Look at the VuXML URL, any version below 1.0.29 is vulnerable, this includes 1.0.28_1 and 1.0.29pre1 (prerelease version).


----------



## talsamon (Mar 12, 2018)

Thanks, you are right.


----------

