Updating nginx silently fails because of a vulnerability

A

AzaShog

I tried to update www/nginx today because there's a new version. However, building www/nginx stopped with Error code 1 and no additional explanation. Below is the output of running make in the port's dir, but same output is given by portmaster.

Code: 
root@azathoth:/usr/ports/www/nginx # make
 
 
*** Error code 1
 
Stop.
make[1]: stopped in /usr/ports/www/nginx
*** Error code 1
 
Stop.
make: stopped in /usr/ports/www/nginx

Only after running in debug mode ( make -dA) I got the following explanation:

Code: 
1 problem(s) in the installed packages found.'

*** Failed target:  check-vulnerable
*** Failed command: if [ -f "/var/db/pkg/vuln.xml" ]; then if [ -n "yes" ]; then if [ -x "/usr/local/sbin/pkg-static" ]; then vlist=`/usr/local/sbin/pkg-static audit "nginx-1.6.1,2"`; if [ "${vlist}" = "0 problem(s) in the installed packages found." ]; then vlist=""; fi; elif [ "nginx" = "pkg" ]; then vlist=""; fi; elif [ -x "/usr/local/sbin/portaudit" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; if [ -n "$vlist" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; fi ; else echo "===> portaudit database exists, however, portaudit is not installed!"; fi; if [ -n "$vlist" ]; then echo "===> nginx-1.6.1,2 has known vulnerabilities:"; echo "$vlist"; echo "=> Please update your ports tree and try again."; echo "=> Note: Vulnerable ports are marked as such even if there is no update available."; echo "=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'"; exit 1; fi; fi
*** Error code 1

Stop.

So my question is, am I doing something wrong, or should the ports have explained the problem without running make in debug mode? I did run portmaster with the verbose flag on too, but that produced no additional explanation. Another question, why did this block? According to the listed vulnerability (CVE-2014-3556) it affects nginx >=1.6.0,2 <1.6.1,2, meaning the version I was upgrading from. Is this a bug worth reporting, and if so, what should I report?

Thanks.

Edit: I forgot to mention, running with DISABLE_VULNERABILITIES=yes fixed the issue and I was able to update nginx.
 
AzaShog said:
why did this block?
Click to expand...
Cause there was a vulnerability.

Is this a bug worth reporting
Click to expand...
The vulnerability was probably found after you installed the previous version so it's not a bug.

running with DISABLE_VULNERABILITIES=yes fixed the issue and I was able to update nginx.
am I doing something wrong
Click to expand...

Yes. You installed a vulnerable copy of nginx.

Of course, the vulnerability may be something that doesn't affect you but that needs to be taken into account.
 
drhowarddrfine said:
Yes. You installed a vulnerable copy of nginx.
Click to expand...

I installed (updated to) nginx version 1.6.1,2. According to the above linked portaudit page that's not the vulnerable version (as the portadit page says it affects nginx >=1.6.0,2 <1.6.1,2). So either 1.6.1,2 is vulnerable, but the reported CVE ID is wrong, or there's a bug blocking the update to non-vulnearble version.
 
FreshPorts says the vulnerability is in "older versions" so you may be right and the port should have let you install it. Just recently, Firefox and Chromium had similar mistakes (but not the same) in handling this.
 
I had exacly the same issue.
Cost me several hours to troubleshoot.

Solution was indeed to make it with the disabled vulnerabilities.

Code: 
make install DISABLE_VULNERABILITIES=yes
 
The question remains: why didn't the check-vulnerable target echo the error in question. Is it a config option I missed, or a bug?
 
You must log in or register to reply here.
Back
Top