[Bug 261856] net/xrdp-devel: 0.9.18.1,1 is fixed, isn't it?

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 10 Feb 2022 09:11:34 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261856

            Bug ID: 261856
           Summary: net/xrdp-devel: 0.9.18.1,1 is fixed, isn't it?
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: meta@FreeBSD.org
          Reporter: Trond.Endrestol@ximalas.info
             Flags: maintainer-feedback?(meta@FreeBSD.org)
          Assignee: meta@FreeBSD.org

I still see net/xrdp-devel 0.9.18.1,1 marked as vulnerable:

root@HOSTNAME:~ # pkg audit -Fr
Fetching vuln.xml.xz: 100%  932 KiB 954.2kB/s    00:01
py38-pillow-8.2.0_1 is vulnerable:
  Pillow -- Regular Expression Denial of Service (ReDoS)
  CVE: CVE-2021-23437
  WWW:
https://vuxml.FreeBSD.org/freebsd/ed8a4215-675c-11ec-8dd4-a0f3c100ae18.html

  Packages that depend on py38-pillow: py38-matplotlib, py38-networkx,
porttree, HOSTNAME-localbase, mono

xrdp-devel-0.9.18.1,1 is vulnerable:
  xrdp -- privilege escalation
  CVE: CVE-2022-23613
  WWW:
https://vuxml.FreeBSD.org/freebsd/fc2a9541-8893-11ec-9d01-80ee73419af3.html

  Packages that depend on xrdp-devel: HOSTNAME-localbase

2 problem(s) in 2 installed package(s) found.
root@HOSTNAME:~ #

According to https://github.com/neutrinolabs/xrdp/releases, 0.9.18.1 is the
current version and also the version where CVE-2022-23613 is fixed.

The two ranges specified for net/xrdp and net/xrdp-devel is what causes the
confusion. Admittedly, there can be a flaw in "pkg audit". I propose to delete
the two ranges indicated below:

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index b820879240b6..38aceff250a0 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -58,12 +58,10 @@
       <package>
        <name>xrdp</name>
        <range><lt>0.9.18.1</lt></range>
-       <range><ge>0.9.17</ge></range>
       </package>
       <package>
        <name>xrdp-devel</name>
        <range><lt>0.9.18.1</lt></range>
-       <range><ge>0.9.17</ge></range>
       </package>

     </affects>

-- 
You are receiving this mail because:
You are the assignee for the bug.