pkg audit: is the p5-Authen-SASL version in vuln.xml correct?

I'm not sure if this is a mistake or not, it appears the project itself made this huge jump in version numbering.

Changes for version 2.1900 - 2025-08-05
Click to expand...

Looking at the BackPAN there's a 2.1700 and 2.1800 too. Maybe it's some weird version scheme.
 
The change in numbering doesn't seem to have trickled down to the Makefile quite yet:

Code: 
poutine : 09:03:14 /usr/ports/security/p5-Authen-SASL# git -C /usr/ports pull
Already up to date.
poutine : 09:03:20 /usr/ports/security/p5-Authen-SASL# head Makefile 
PORTNAME=   Authen-SASL
PORTVERSION=    2.19
DISTVERSIONSUFFIX=  00
CATEGORIES= security perl5
MASTER_SITES=   CPAN
PKGNAMEPREFIX=  p5-

MAINTAINER= perl@FreeBSD.org
COMMENT=    Perl5 module for SASL authentication
WWW=        https://metacpan.org/release/Authen-SASL
poutine : 09:03:23 /usr/ports/security/p5-Authen-SASL# make -j20
--- stage ---
--- check-vulnerable ---
===>  p5-Authen-SASL-2.19 has known vulnerabilities:
p5-Authen-SASL-2.19 is vulnerable:
  p5-Authen-SASL -- Insecure source of randomness
  CVE: CVE-2025-40918
  WWW: https://vuxml.FreeBSD.org/freebsd/defe9a20-781e-11f0-97c4-40b034429ecf.html

1 problem(s) in 1 package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** [check-vulnerable] Error code 1

make[1]: stopped in /usr/ports/security/p5-Authen-SASL
1 error

make[1]: stopped in /usr/ports/security/p5-Authen-SASL
*** [stage] Error code 2

make: stopped in /usr/ports/security/p5-Authen-SASL
1 error

make: stopped in /usr/ports/security/p5-Authen-SASL

So far, it seems that all that is needed is to change the Makefile to:

Code: 
PORTVERSION=    2.1900

The tarball entries in distinfo are already correct.
 
No, the 00 is tacked on due to DISTVERSIONSUFFIX. The entry in the VuXML should be changed to 2.19 so it actually matches up with the port's version.
 
SirDice said:
No, the 00 is tacked on due to DISTVERSIONSUFFIX.
Click to expand...
After the fact, yes. But the Make system won't build it because of the vulnerability. Changing only the PORTVERSION appears to create a package with the proper name (2.1900, not 2.190000), and pkg info doesn't show anything untoward. But yes, please drop clues if I'm overlooking something. Thank you, SirDice!
Code: 
# ls work/pkg/
p5-Authen-SASL-2.1900.pkg
# pkg info p5-Authen-SASL
p5-Authen-SASL-2.1900
Name           : p5-Authen-SASL
Version        : 2.1900
Installed on   : Thu Aug 14 09:16:26 2025 PDT
Origin         : security/p5-Authen-SASL
Architecture   : FreeBSD:14:*
Prefix         : /usr/local
Categories     : perl5 security
Licenses       : ART10, GPLv1+
Maintainer     : perl@FreeBSD.org
WWW            : https://metacpan.org/release/Authen-SASL
Comment        : Perl5 module for SASL authentication
Options        :
KERBEROS       : off
Annotations    :
repo_type      : binary
repository     : my_repo
Flat size      : 104KiB
Description    :
SASL is a generic mechanism for authentication used by
several network protocols. Authen::SASL provides an
implementation framework that all protocols should be able
to share.
 
Don't know why it was done that way. I think the FreeBSD port just kept the versioning scheme in line with previous versions, 2.16 -> 2.17 -> 2.18

It was upstream that jumped from 2.16 to 2.1700:

Maybe this was due to a limitation of CPAN versioning? There seems to have been a 2.14 -> 2.1401 -> 2.15 history. Maybe that 1401 should have been 2.14.1 but this couldn't be done on CPAN?

The port never followed that 2.1401 scheme, as the ports system doesn't have a problem with 2.14.01 being newer than 2.14 and older than 2.15, so the order of versions will stay intact:

ports - FreeBSD ports tree

cgit.freebsd.org cgit.freebsd.org
 
You must log in or register to reply here.
Back
Top