pkg audit

[fernandel]

Hi!
I did run pkg audit -F and many problems:

 pkg audit -F
vulnxml file up-to-date
xorg-server-21.1.4_1,1 is vulnerable:
  xorg-server -- Security issue in the X server
  CVE: CVE-2023-0494
  WWW: https://vuxml.FreeBSD.org/freebsd/6cc63bf5-a727-4155-8ec4-68b626475e68.html

  xorg-server -- Multiple security issues in X server extensions
  CVE: CVE-2022-4283
  CVE: CVE-2022-46344
  CVE: CVE-2022-46343
  CVE: CVE-2022-46342
  CVE: CVE-2022-46341
  CVE: CVE-2022-46340
  WWW: https://vuxml.FreeBSD.org/freebsd/9fa7b139-c1e9-409e-bed0-006aadcf5845.html

curl-7.87.0_1 is vulnerable:
  curl -- multiple vulnerabilities
  CVE: CVE-2023-23916
  CVE: CVE-2023-23915
  CVE: CVE-2023-23914
  WWW: https://vuxml.FreeBSD.org/freebsd/be233fc6-bae7-11ed-a4fb-080027f5fec9.html

3 problem(s) in 2 installed package(s) found

As I remember the problem with xorg-server i well known but the problem is here still.

 

[rootbert]

fyi: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268963 ... seems a little stalled there

 

[fernandel]

fyi: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268963 ... seems a little stalled there

It is scary.

 

[rwatt]

No judgment intended, I'm trying to understand/learn. Why is a package like ftp/curl still not patched within the FreeBSD environment? Or maybe it is? Freshports shows commit history for 7.88.1, but I've been forcing pkg updates for a week and it's not grabbing it.

Btw, I forgot to mention, I'm on FreeBSD:13:amd64 and am running the latest branch. Based on Freshports, latest is behind quarterly.

 

[SirDice]

Because building packages takes time. As does the copy to all the package mirrors.

https://pkg-status.freebsd.org/builds?jailname=131amd64

Freshports shows commit history for 7.88.1, but I've been forcing pkg updates for a week and it's not grabbing it.

The port may have been updated but the packages need to be built for it. Which takes some time. The build started on Tue, 21 Mar 2023 01:04:25 GMT and took 55 hours and 11 minutes to complete.

Why did it take so long? It had to build 8607 packages, biggest 'stall' seems to have come from Chrome and Iridium browser, both took about 26 hours to complete.

http://beefy16.nyi.freebsd.org/build.html?mastername=131amd64-default&build=0762117e7f99
(you need IPv6 to be able to access those logs)

 

[rootbert]

concerning the xorg relevant issues there does not seem to be happening much, xorg-server is still just version 21.1.4 from September 7, 2022 ... hope someone of the knowledgable circle soon finds time to push the new version which is already at 21.1.7

 

[kjpetrie]

No judgment intended, I'm trying to understand/learn. Why is a package like ftp/curl still not patched within the FreeBSD environment? Or maybe it is? Freshports shows commit history for 7.88.1, but I've been forcing pkg updates for a week and it's not grabbing it.

Btw, I forgot to mention, I'm on FreeBSD:13:amd64 and am running the latest branch. Based on Freshports, latest is behind quarterly.

I wouldn't bother worrying about curl 7.88.1 - just a few days after the port was upgraded it's vulnerable again. The current version of curl upstream is 8.0.1 but as that's a major version change it'll probably take even longer to test and upgrade to than 7.88.1!

 

[fernandel]

And updated curl has problem still:

curl-7.88.1 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2023-27538
CVE: CVE-2023-27537
CVE: CVE-2023-27536
CVE: CVE-2023-27535
CVE: CVE-2023-27534
CVE: CVE-2023-27533