Re: www/py-aiohttp vulnerabilities
- Reply: Li-Wen Hsu : "Re: www/py-aiohttp vulnerabilities"
- In reply to: Andrea Venturoli : "www/py-aiohttp vulnerabilities"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 23 Jun 2021 07:28:24 UTC
Hi! > pkg audit complains that > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable: > > aiohttp -- open redirect vulnerability > > CVE: CVE-2021-21330 > > WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html > > > > 1 problem(s) found. > > However, AFAICT following the link, this CVE was fixed in 3.7.4. > Is this version vulnerable or not? > > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC, > looks like answer is no. > Is then something wrong with my audit database? From reading the ticket it's probably a problem of the PORTVERSION -- there's some ordering assumption, which causes 3.7.4 to be newer than 3.7.4.post0. -- firstname.lastname@example.org +49 171 3101372 Now what ?