Solved Pkg audit indicates vulnerability but pkg upgrade says "nothing to update"

I have a strange situation, pkg audit indicates that my system has vulnerable packages:

Code:
#pkg audit
expat-2.2.6_1 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.html

expat-2.2.6_1 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/6856d798-d950-11e9-aae4-f079596b62f9.html

curl-7.65.1 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.html

3 problem(s) in 2 installed package(s) found.

However pkg upgrade says that there is nothing to upgrade.

Code:
# pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

I have checked on freshport and there exists a more recent version of these packages. I have also tried to upgrade specific packages but it stills find no update. Of course I have not mixed packages and ports. I have 71 packages installed:

Code:
# pkg info | wc -l
71

Any idea of what I should try to be able to upgrade my packages again.
 
Indeed I am on quaterly, thank you!

Edit: However as per my understanding, the quarterly branch should get security fixes right away, so I think the maintainers may want to look into that. The vulnerabilities in questions have been mentioned in the daily security output for a couple of days now. Not sure what the normal time frame is to have patches in quarterly.
 
I use latest for pkg, and sometimes they haven't built a new package yet to get the latest security fix. I have to wait, expected to be under a few days, or build it from ports to get that latest security fix. I rather build it from ports than wait. Sometimes there are security vulnerabilities for ports that persist for months, but this hasn't happened in over a year for me.

If your packages are set to quarterly, make sure that ports are fetched from quarterly as well.
 
I use latest for pkg, and sometimes they haven't built a new package yet to get the latest security fix. I have to wait, expected to be under a few days, or build it from ports to get that latest security fix. I rather build it from ports than wait. Sometimes there are security vulnerabilities for ports that persist for months, but this hasn't happened in over a year for me.

If your packages are set to quarterly, make sure that ports are fetched from quarterly as well.
Hi There, but ain't you mixing packages with ports when u build yourself on top of pkg! or is that not a problem. (trying to get to the bottom of pkg vs ports issue) Thx in advance
 
If you installed everything from packages, and something has a vulnerability, you can use ports to upgrade it, because the install will be based on the options of the packages. Also, some programs are available in ports, but not packages, so ports fill that gap. There's another option for portmaster, which is to use packages for build only dependencies only.

For installing a new set of applications from a clean slate, they advise to not mix ports and packages, as the options and dependencies are different. I often mix ports and packages for fresh installs to save time, but I do so, keeping track of what I'm doing. I'll install only using packages for bottom layer of programs and programming languages, and I don't make it more complicated than that. Xorg, clang, rust and so forth from packages, then install the rest of my applications from ports. They keep saying don't do that, but it works for me, and I do it anyway.

In the case that there's a vulnerability, and there's not an updated package yet in the repository, upgrading from ports is a necessity. It's important to use the same branch for both ports and packages, no matter.
 
Back
Top