Re: www/py-aiohttp vulnerabilities

From: Li-Wen Hsu <lwhsu_at_freebsd.org>
Date: Wed, 23 Jun 2021 18:05:37 +0800
On Wed, Jun 23, 2021 at 3:29 PM Kurt Jaeger <pi_at_freebsd.org> wrote:
>
> Hi!
>
> > pkg audit complains that
> > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable:
> > >   aiohttp -- open redirect vulnerability
> > >   CVE: CVE-2021-21330
> > >   WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html
> > >
> > > 1 problem(s) found.
> >
> > However, AFAICT following the link, this CVE was fixed in 3.7.4.
> > Is this version vulnerable or not?
> >
> > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC,
> > looks like answer is no.
> > Is then something wrong with my audit database?
>
> From reading the ticket it's probably a problem of the
> PORTVERSION -- there's some ordering assumption, which causes
> 3.7.4 to be newer than 3.7.4.post0.

I think this fies/workaround the issue:
https://cgit.freebsd.org/ports/commit/?id=f3e4dbcb5ff2fe2a018f78f396a4247f1dd32cc9

I changed the affected version from < 3.7.4 to <= 3.7.3. Now both
3.7.4 and 3.7.4.p0 (3.7.4.post0) are not affected.

Although in ports' version 3.7.4 is newer than 3.7.4.p0, we don't have
3.7.4 in the history of www/py-aiohttp so no PORTEPOCH is needed.

Best,
Li-Wen
Received on Wed Jun 23 2021 - 10:05:37 UTC

Original text of this message