[Bug 281269] pkg-audit ignores VuXML reports if installed package has PORTEPOCH appended

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 04 Sep 2024 15:12:13 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281269

            Bug ID: 281269
           Summary: pkg-audit ignores VuXML reports if installed package
                    has PORTEPOCH appended
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: joneum@FreeBSD.org
          Reporter: ps.ports@smyrak.com
                CC: bapt@FreeBSD.org
          Assignee: joneum@FreeBSD.org
             Flags: maintainer-feedback?(joneum@FreeBSD.org)

Steps to reproduce:
1. pick a vulnerable ports / package whose Makefile includes a PORTEPOCH and
install it. 
2. run pkg audit

Note, I have spotted this thanks on firefox, yet it might as well be reproduced
on www/nginx which is cheaper to build. Thus I believe that bug #281250 is a
duplicate or actually a symptom of this description. 

% uname -v
FreeBSD 13.4-STABLE stable/13-n258228-3a9010c98b3d GENERIC

% pkg --version
1.21.3

% pkg info firefox | head -1
firefox-128.0.3,2

% grep -A1 'name.firefox' /usr/ports/security/vuxml/vuln/2024.xml
        <name>firefox</name>
        <range><lt>129.0</lt></range>
--
        <name>firefox</name>
        <range><lt>129.0</lt></range>

% doas pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

-- 
You are receiving this mail because:
You are the assignee for the bug.