apache24-2.4.54 has known vulnerabilities?

[Aknot]

Hello,

I'm getting the following message when running gitup ports and then portmaster www/apache24

===>>> Starting build for www/apache24 <<<===
===>>> All dependencies are up to date
===>  Cleaning for apache24-2.4.54
===>  apache24-2.4.54 has known vulnerabilities:
apache24-2.4.54 is vulnerable:
  Apache httpd -- Multiple vulnerabilities
  CVE: CVE-2022-26377
  CVE: CVE-2022-28330
  CVE: CVE-2022-28614
  CVE: CVE-2022-28615
  CVE: CVE-2022-29404
  CVE: CVE-2022-30522
  CVE: CVE-2022-30556
  CVE: CVE-2022-31813
  WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html

But I don't get it, as I understand it, apache24-2.4.53 is vulnerable, and not apache24-2.4.54?

Thanks,

 

[mer]

If you went and looked at descriptions for all the CVE's listed and they all say apache24-2.4.53 and prior, then it's likely the vuxml database has not been updated at the time of your build.
That's just a guess on my part.

 

[SirDice]

Try updating it; pkg audit -F

The VuXML says it's:

Affected packages
apache24 	< 	2.5.54

 

[rootbert]

264585 – www/apache24: pkg vuln typo

bugs.freebsd.org

 

[SirDice]

PR is/was sent to the maintainer of Apache, they can't do anything about this. It needs to be fixed by a port committer or the security team.

Committers can update the VuXML database themselves, assisting the Security Officer Team and delivering crucial information to the community more quickly. Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the FreeBSD Security Information page.

Chapter 12. Security

Security instructions when making a FreeBSD Port

docs.freebsd.org

 

[joneum@]

Fixed yesterday: https://cgit.freebsd.org/ports/commit/?id=0bb1abdb20498df239e15e7f9e9eec33e2eec499

sorry about that. We need more coffee i think