Date: Mon, 08 May 2023 04:51:39 UTC
On 2023-05-08 12:40, Mark Millard wrote: > Simon Wright <simon.wright_at_gmx.net> wrote on > Date: Mon, 08 May 2023 01:36:45 UTC : > >> I am using poudriere to build a small selection of posts with >> non-default options. This is working fine, however for the daily >> security run on the VM that runs poudriere, I am seeing this warning: >> >> ======================= >> Checking for security vulnerabilities in base (userland & kernel): >> Database fetched: Sun May 7 03:40:24 PST 2023 >> 0 problem(s) in 0 installed package(s) found. >> 0 problem(s) in 0 installed package(s) found. >> portaudit for jails on vmserver04 - 2 problem(s) found. >> >> portaudit for jail: pkg.home.santos-wright.net (JID: 10) >> >> libxml2-2.10.3_2 (textproc/libxml2) is vulnerable: >> libxml2 -- multiple vulnerabilities >> CVE: CVE-2023-29469 >> CVE: CVE-2023-28484 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html >> >> 1 problem(s) found. >> >> portaudit for jail: pkg.home.santos-wright.net (JID: 8) >> >> libxml2-2.10.3_2 (textproc/libxml2) is vulnerable: >> libxml2 -- multiple vulnerabilities >> CVE: CVE-2023-29469 >> CVE: CVE-2023-28484 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html >> >> 1 problem(s) found. >> >> ====================== >> >> >> I've tried manually starting the jail, installing pkg and updating >> libxml2 which works but on restarting the jail, it has as expected >> reverted to the vulnerable version of libxml2. > > It is important for poudriere operation that the jail(s) it > uses not have packages pre-installed. That can interfere with > poudriere building ports into packages and/or with installing > them as needed. (Messing up detection of what is missing and, > so, needs to be built or installed.) poudriere bulk should do > all its own package installations for use in all builders as > I understand things. > >> Can anyone point me in the right direction to eliminate the error >> message on the daily security scan? Or can I remove this package from >> the jail? > > > If you have packages that look to be installed in jail(s) > even when poudriere is not doing the likes of a bulk build > (or related), then I suggest uninstalling such. Even if > such is not a (full) fix of the overall issue, as far as > I know, pre-installed packages are not a valid/general > solution to anything for poudriere bulk operation. Thanks Mark, I also don't understand why the security scan is finding this. Manually starting the jail and checking it did not find any packages (or pkg itself) which is as expected. I use a standard poudriere build and I've never customised it other than via poudriere.conf, certainly never tried to install packages in it - other than the attempt to upgrade to fix the error listed above. Something appears to have gone bad with my poudriere install so I will delete the jail and recreate it. Seems like the easiest solution! I've already cleared out some unused ezjail jails but that did not get rid of the warning. Thanks, will come back here if deleting and recreating does not clear this up :). Simon.