With respect to the original question, the vulnerabilities in
graphics/openjpeg that are blocking updates,
Martin Paredes advice (
-m DISABLE_VULNERABILITIES=yes
) should be considered a work around, but only with appropriate research.
If you look at the
commit history , 2.3.0_2 fixes
CVE-2018-5785. There were 5 vulns at one point, now there are 4. Upgrading from 2.3.0_1 to 2.3.0_2 reduces the attack surface, a
Good Thing.
Of the 4 still reported, it appears from the
vulnxml report that two have patches and two are not fixed yet. Hopefully those patches will be integrated soon.
Given that there are unpatched vulnerabilities, the user should first determine if the version they are running is vulnerable (in this case, probably). If the current version isn't affected by the vulnerability and the new one is, don't update.
If both the current one and the update are vulnerable, the user has to decide whether it is tolerable to completely remove or disable the port until it is patched (for most of us, probably not; it isn't like everyone stopped using computers when we found out about Meltdown/Spectre and lived an analog life until we could buy secure hardware).
If both current and update are vulnerable and especially if the update is less vulnerable than the current (which is the case from 2.3.0_1 to 2.3.0_2), and if the port is essential, then use the necessary command to override the check and update anyway.