On May 7, I got a notification in my server's daily security run output that python27 was determined to be vulnerable:
I tried to update python27:
I checked at the VuXML link, and it basically says the same thing as the audit output, except that the URLs in the References section point to github.
Thinking the repository might not be up to date, and being busy with other things, I set the issue aside for later. I repeated the upgrade attempt on May 8 and 9, and got the same result.
Today my security run output had another vulnerability:
Again I attempted an upgrade, without success:
I have a /usr/local/etc/pkg/repos/FreeBSD.conf that contains
so I would expect the latest versions in the repositories to be used for my updates. Am I doing something wrong, or have the repositories not been updated?
Code:
Checking for packages with security vulnerabilities:
python27-2.7.14_1
Checking for a current audit database:
Database created: Sun May 6 02:13:00 EDT 2018
Checking for packages with security vulnerabilities:
Checking for packages with mismatched checksums:
ghc-8.0.2_3: /usr/local/bin/haddock
...
Code:
# pkg info python27
python27-2.7.14_1
Name : python27
Version : 2.7.14_1
Installed on : Wed Mar 7 06:32:09 2018 EST
Origin : lang/python27
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : python lang ipv6
Licenses : PSFL
Maintainer : python@FreeBSD.org
WWW : https://www.python.org/
Comment : Interpreted object-oriented programming language
Options :
DEBUG : off
IPV6 : on
LIBFFI : on
NLS : on
PYMALLOC : on
THREADS : on
UCS2 : off
UCS4 : on
Shared Libs required:
libreadline.so.7
libintl.so.8
libffi.so.6
Shared Libs provided:
libpython2.7.so.1
Annotations :
cpe : cpe:2.3:a:python:python:2.7.14:::::freebsd11:x64:1
repo_type : binary
repository : FreeBSD
Flat size : 67.7MiB
Description :
Python is an interpreted object-oriented programming language, and is
often compared to Tcl, Perl or Scheme.
WWW: https://www.python.org/
# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 6.5MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 31727 packages processed.
All repositories are up to date.
# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
# pkg audit
python27-2.7.14_1 is vulnerable:
python 2.7 -- multiple vulnerabilities
CVE: CVE-2018-1061
CVE: CVE-2018-1060
CVE: CVE-2017-9233
CVE: CVE-2016-9063
CVE: CVE-2016-4472
CVE: CVE-2016-0718
CVE: CVE-2012-0876
WWW: https://vuxml.FreeBSD.org/freebsd/8719b935-8bae-41ad-92ba-3c826f651219.html
1 problem(s) in the installed packages found.
# pkg update --force
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 6.5MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 31727 packages processed.
All repositories are up to date.
# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installedThinking the repository might not be up to date, and being busy with other things, I set the issue aside for later. I repeated the upgrade attempt on May 8 and 9, and got the same result.
Today my security run output had another vulnerability:
Code:
Checking for packages with security vulnerabilities:
python27-2.7.14_1
wget-1.19.4_2
Checking for a current audit database:
Downloading fresh database.
auditfile.tbz 0 B 0 Bps
New database installed.
Database created: Thu May 10 03:13:00 EDT 2018
Checking for packages with security vulnerabilities:
Checking for packages with mismatched checksums:
ghc-8.0.2_3: /usr/local/bin/haddock
...
Code:
# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 6.5MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 31828 packages processed.
All repositories are up to date.
# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
# pkg install wget
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
# pkg audit
python27-2.7.14_1 is vulnerable:
python 2.7 -- multiple vulnerabilities
CVE: CVE-2018-1061
CVE: CVE-2018-1060
CVE: CVE-2017-9233
CVE: CVE-2016-9063
CVE: CVE-2016-4472
CVE: CVE-2016-0718
CVE: CVE-2012-0876
WWW: https://vuxml.FreeBSD.org/freebsd/8719b935-8bae-41ad-92ba-3c826f651219.html
wget-1.19.4_2 is vulnerable:
wget -- cookie injection vulnerability
CVE: CVE-2018-0494
WWW: https://vuxml.FreeBSD.org/freebsd/7b5a8e3b-52cc-11e8-8c7a-9c5c8e75236a.html
2 problem(s) in the installed packages found.I have a /usr/local/etc/pkg/repos/FreeBSD.conf that contains
Bash:
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
mirror_type: "srv",
enabled: yes
}
