Re: www/py-aiohttp vulnerabilities

From: Kurt Jaeger <pi_at_freebsd.org>
Date: Wed, 23 Jun 2021 09:28:24 +0200
Hi!

> pkg audit complains that
> > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable:
> >   aiohttp -- open redirect vulnerability
> >   CVE: CVE-2021-21330
> >   WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html
> > 
> > 1 problem(s) found.
> 
> However, AFAICT following the link, this CVE was fixed in 3.7.4.
> Is this version vulnerable or not?
> 
> Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC,
> looks like answer is no.
> Is then something wrong with my audit database?

>From reading the ticket it's probably a problem of the
PORTVERSION -- there's some ordering assumption, which causes
3.7.4 to be newer than 3.7.4.post0.

-- 
pi_at_opsec.eu            +49 171 3101372                    Now what ?
Received on Wed Jun 23 2021 - 07:28:24 UTC

Original text of this message