[Bug 274251] ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F
- Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 274251] ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274251] ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Oct 2023 19:55:08 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274251
Bug ID: 274251
Summary: ports-mgmt/pkg upgrade -v identifies packages not
identified by pkg audit -F
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: pkg@FreeBSD.org
Reporter: freebsd@haraschak.com
Flags: maintainer-feedback?(pkg@FreeBSD.org)
Assignee: pkg@FreeBSD.org
FreeBSD 13.2-RELEASE-p3
pkg -v 1.20.6
Package audit shows no vulnerabilities using the following command:
pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
However, using `pkg upgrade -v -n` the output indicates there are two
vulnerable packages:
pkg upgrade -v -n
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
vulnxml file up-to-date
Checking for upgrades (41 candidates): 100%
Processing candidates (41 candidates): 100%
The following 42 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
p5-IO-Socket-IP: 0.42
Installed packages to be UPGRADED:
bareos-client: 21.0.0 -> 22.0.3
bash: 5.1.16 -> 5.2.15
bat: 0.19.0_2 -> 0.23.0_5
exa: 0.10.1_9 -> 0.10.1_25
fish: 3.6.0 -> 3.6.1_1
git: 2.41.0 -> 2.42.0
icdiff: 2.0.6 -> 2.0.7
libgit2: 1.3.0 -> 1.6.4
libidn2: 2.3.3 -> 2.3.4
libpsl: 0.21.1_5 -> 0.21.2_3
libunistring: 1.0 -> 1.1
libxml2: 2.10.4 -> 2.10.4_1
nginx: 1.20.2_7,2 -> 1.24.0_12,3
oniguruma: 6.9.7.1 -> 6.9.8_1
p5-Authen-SASL: 2.16_1 -> 2.17
p5-Clone: 0.45 -> 0.46
p5-HTTP-Date: 6.05 -> 6.06
p5-HTTP-Message: 6.36 -> 6.45
p5-IO-Socket-SSL: 2.083 -> 2.083_1
p5-Mozilla-CA: 20221114 -> 20230821
p5-URI: 5.10 -> 5.21
pam_ssh_agent_auth: 0.10.4_1 -> 0.10.4_4
pcre: 8.45_1 -> 8.45_3
perl5: 5.32.1_3 -> 5.34.1_3
sudo: 1.9.12p1 -> 1.9.14p3
vim: 9.0.0379 -> 9.0.1876
zabbix64-agent: 6.4.4 -> 6.4.7
Installed packages to be REINSTALLED:
cyrus-sasl-2.1.28 (vulnerability found)
p5-CGI-4.57 (direct dependency changed: perl5)
p5-Digest-HMAC-1.04 (direct dependency changed: perl5)
p5-Encode-Locale-1.05 (direct dependency changed: perl5)
p5-Error-0.17029 (direct dependency changed: perl5)
p5-GSSAPI-0.28_2 (direct dependency changed: perl5)
p5-HTML-Parser-3.81 (direct dependency changed: perl5)
p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5)
p5-IO-HTML-1.004 (direct dependency changed: perl5)
p5-IO-Socket-INET6-2.72_1 (vulnerability found)
p5-LWP-MediaTypes-6.04 (direct dependency changed: perl5)
p5-Net-SSLeay-1.92 (direct dependency changed: perl5)
p5-Socket6-0.29 (direct dependency changed: perl5)
p5-TimeDate-2.33,1 (direct dependency changed: perl5)
Number of packages to be installed: 1
Number of packages to be upgraded: 27
Number of packages to be reinstalled: 14
The process will require 8 MiB more space.
44 MiB to be downloaded.
---
pkg info cyrus-sasl | grep Version
Version : 2.1.28
pkg info p5-IO-Socket-INET6 | grep Version
Version : 2.72_1
---
The vuxml database timestamp indicated the file was up-to-date.
In the scenario where Zabbix or Nagios is using `pkg audit` to check for
vulnerable packages, it would miss items identified by `pkg upgrade` however,
upon verifying the packages identified by `pkg upgrade`, they do not appear to
be vulnerable.
cyrus-sasl:
https://vuxml.freebsd.org/freebsd/a80c6273-988c-11ec-83ac-080027415d17.html
p5-IO-Socket-INET6 does not exist in
https://vuxml.freebsd.org/freebsd/index-pkg.html
--
You are receiving this mail because:
You are the assignee for the bug.