cmake-core vulnerability in fbsd 14.0

[ram00]

While compiling some utility,

===>  cmake-core-3.26.1_3 has known vulnerabilities:
cmake-core-3.26.1_3 is vulnerable:
  curl -- SOCKS5 heap buffer overflow
  CVE: CVE-2023-38545
  WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html

1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

That is after installing fbsd 14.0 with ports and running freebsd-update.

There seems to be no update yet (empty result):

# pkg version -l "<"

The vuxml link above reports:
Affected packages
7.69.0 < curl < 8.4.0
cmake-core < 3.27.8

Neither corrected packages have appeared yet in 14.0, three months after the correction was published. My curl is 8.3.0 and cmake-core 3.26.1.

 

[richardtoohey2]

You need to update packages and/or if building frm ports, then ports as well.

It is not recommended to mix the two.

 

[ram00]

I am not mixing the two, since I have no package installed:

# pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

I used the word package, because the text of vuxml used it.

 

[richardtoohey2]

OK, so what ports tree are you using? How did you get it? Have you updated it?

root@r220:/home/wibble # freebsd-version
14.0-RELEASE-p4
root@r220:/home/wibble # pkg info | grep cmake
cmake-core-3.28.1              Cross-platform Makefile generator
root@r220:/home/wibble # pkg info | grep curl
curl-8.5.0                     Command line tool and library for transferring data with URLs
php82-curl-8.2.15              The curl shared extension for php

You need to update your ports is the short answer, but the recommendation will depend on how you installed them in the first place and how you want to proceed.

gitup ports

Is probably the way to go, but there are other answers.

freebsd-update will not update ports - that's a separate step.

 

[ram00]

Thanks, Richard, for pointing me in the right direction.
After using gitup ports, I could build cmake-core.
But I now have other unsatisfied dependencies (such as perl5-5.34.3 vs 5.34.1).
We shall see if I can overcome those.
Thanks again from the (almost) antipode.