vuxml entry error for krb5

Reply: Cy Schubert : "Re: vuxml entry error for krb5"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Garrett Wollman <wollman_at_freebsd.org>
Date: Thu, 17 Nov 2022 18:38:47 UTC

Not sure who to address this to, so hopefully someone more
knowledgeable about vuxml can explain what needs to be fixed here.

https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html
gives incorrect "affected packages" for the main `krb5` package: it
claims that all versions < 1.20_1 are affected, but in fact the
vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR
x < 1.19.

This means that if you have KRB5_VERSION=119 set in make.conf, you
will get packages that are *not* vulnerable, but `pkg audit` will
claim that they are.

-GAWollman