Re: git: c06e206dffd4 - main - security/vuxml: Fix bca498407bf9e529936ebb68e9ca257bdd1428de
Date: Fri, 13 Oct 2023 02:44:14 UTC
On Wed, Oct 11, 2023, at 6:23 PM, Po-Chuan Hsieh wrote: > The branch main has been updated by sunpoet: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=c06e206dffd44ca562f86fbf55c06e361881bf47 > > commit c06e206dffd44ca562f86fbf55c06e361881bf47 > Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> > AuthorDate: 2023-10-11 22:22:51 +0000 > Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> > CommitDate: 2023-10-11 22:22:51 +0000 > > security/vuxml: Fix bca498407bf9e529936ebb68e9ca257bdd1428de > > The pkg audit result before the fix: > curl-8.4.0 is vulnerable: > curl -- SOCKS5 heap buffer overflow > CVE: CVE-2023-38545 > WWW: > https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html > > 1 problem(s) in 1 installed package(s) found. > --- > security/vuxml/vuln/2023.xml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > index d2b1be12644f..db04c1b9498f 100644 > --- a/security/vuxml/vuln/2023.xml > +++ b/security/vuxml/vuln/2023.xml > @@ -3,8 +3,7 @@ > <affects> > <package> > <name>curl</name> > - <range><gt>7.69.0</gt></range> > - <range><lt>8.4.0</lt></range> > + <range><gt>7.69.0</gt><lt>8.4.0</lt></range> FreshPorts agrees with this change in that it no longer lists 8.4.0 as vuln However, my hosts are still getting: [2:42 dns1 dan ~] % sudo pkg audit -F vulnxml file up-to-date curl-8.4.0 is vulnerable: curl -- SOCKS5 heap buffer overflow CVE: CVE-2023-38545 WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html 1 problem(s) in 1 installed package(s) found. What do I need to do in order to propagate that fix? Thank you. > </package> > </affects> > <description> > @@ -35,6 +34,7 @@ > <dates> > <discovery>2023-09-30</discovery> > <entry>2023-10-11</entry> > + <modified>2023-10-11</modified> > </dates> > </vuln> -- Dan Langille dan@langille.org