From nobody Tue Oct 3 19:55:08 2023 X-Original-To: pkg@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0T7d1Sx8z4vwCY for ; Tue, 3 Oct 2023 19:55:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0T7d0PZKz4crM for ; Tue, 3 Oct 2023 19:55:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696362909; a=rsa-sha256; cv=none; b=bNy5LsA3PajJ8g08Juhx9Ns5fUJjedU6rbuAif5na1dflDU9uBlYbZoYxiAXwK16XvOneG S+c+gT/2CKGd20KLE16vyWn8XoEHl9hPJ6uNgDwrVQMFOlh8kZuqHbo+qfX6f+26YwBG2g XPbS4OQ15J+9q6nf7Kh1Y+e4jXZFFkDddSF7wO2lCPJmPUB2j1XQKAaOqz80FXBqmDTTif +FOT7nEZPVbQ9/Qz1NnNJcmwV0JlvHlWXSPAr7AZlVC1HhVEfFAMsjqr1IeUNLwWU4n79d itxGSK2VfuO7LTLFqFMd5UWiMuSxetXYKQsFNWngyCqM8NUi9iNpRiRXTNPYXw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696362909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dpIL+jPcW9vjOq/DTXsAjWPlJ27V5cmSq0sZ1KsUDHk=; b=GA+xjjAzysDuQk9+Ih7CyfSUxcndyKbaY2HByuJpvNIic5lZaV1mTflKuZBEEHOMYRIdyN AV3E2wPkOQ7JluipoqsQXDQkwma+AOuhECZbvfWacM1uzxadvrk1BftyTr8CgABc0+uL1a dp3aNwLeBrDsPAWkY6OxgK3/Bb6XAdt44j6xLvhPX9wTgGAzY66Y9nX9RXCBYxiksq3MoY EuisVDB0v9CPC1wrrBRBVFsqaFbSPKUwq82YBxZ7uei6r7o/IONSFPdDiyP6sEM+wuU8oV e6Pq78cihnox3Mj1QZeYJd9VFcBpurytzy5lNDzw2k2oXlZlkQhyINJRGQhNUg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S0T7c6ZpQz16x2 for ; Tue, 3 Oct 2023 19:55:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 393Jt8vB083744 for ; Tue, 3 Oct 2023 19:55:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 393Jt8bv083743 for pkg@FreeBSD.org; Tue, 3 Oct 2023 19:55:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pkg@FreeBSD.org Subject: [Bug 274251] ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F Date: Tue, 03 Oct 2023 19:55:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: freebsd@haraschak.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pkg@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Binary package management and package tools discussion List-Archive: https://lists.freebsd.org/archives/freebsd-pkg List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkg@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274251 Bug ID: 274251 Summary: ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: pkg@FreeBSD.org Reporter: freebsd@haraschak.com Flags: maintainer-feedback?(pkg@FreeBSD.org) Assignee: pkg@FreeBSD.org FreeBSD 13.2-RELEASE-p3 pkg -v 1.20.6 Package audit shows no vulnerabilities using the following command: pkg audit -F vulnxml file up-to-date 0 problem(s) in 0 installed package(s) found. However, using `pkg upgrade -v -n` the output indicates there are two vulnerable packages: pkg upgrade -v -n Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. vulnxml file up-to-date Checking for upgrades (41 candidates): 100% Processing candidates (41 candidates): 100% The following 42 package(s) will be affected (of 0 checked): New packages to be INSTALLED: p5-IO-Socket-IP: 0.42 Installed packages to be UPGRADED: bareos-client: 21.0.0 -> 22.0.3 bash: 5.1.16 -> 5.2.15 bat: 0.19.0_2 -> 0.23.0_5 exa: 0.10.1_9 -> 0.10.1_25 fish: 3.6.0 -> 3.6.1_1 git: 2.41.0 -> 2.42.0 icdiff: 2.0.6 -> 2.0.7 libgit2: 1.3.0 -> 1.6.4 libidn2: 2.3.3 -> 2.3.4 libpsl: 0.21.1_5 -> 0.21.2_3 libunistring: 1.0 -> 1.1 libxml2: 2.10.4 -> 2.10.4_1 nginx: 1.20.2_7,2 -> 1.24.0_12,3 oniguruma: 6.9.7.1 -> 6.9.8_1 p5-Authen-SASL: 2.16_1 -> 2.17 p5-Clone: 0.45 -> 0.46 p5-HTTP-Date: 6.05 -> 6.06 p5-HTTP-Message: 6.36 -> 6.45 p5-IO-Socket-SSL: 2.083 -> 2.083_1 p5-Mozilla-CA: 20221114 -> 20230821 p5-URI: 5.10 -> 5.21 pam_ssh_agent_auth: 0.10.4_1 -> 0.10.4_4 pcre: 8.45_1 -> 8.45_3 perl5: 5.32.1_3 -> 5.34.1_3 sudo: 1.9.12p1 -> 1.9.14p3 vim: 9.0.0379 -> 9.0.1876 zabbix64-agent: 6.4.4 -> 6.4.7 Installed packages to be REINSTALLED: cyrus-sasl-2.1.28 (vulnerability found) p5-CGI-4.57 (direct dependency changed: perl5) p5-Digest-HMAC-1.04 (direct dependency changed: perl5) p5-Encode-Locale-1.05 (direct dependency changed: perl5) p5-Error-0.17029 (direct dependency changed: perl5) p5-GSSAPI-0.28_2 (direct dependency changed: perl5) p5-HTML-Parser-3.81 (direct dependency changed: perl5) p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5) p5-IO-HTML-1.004 (direct dependency changed: perl5) p5-IO-Socket-INET6-2.72_1 (vulnerability found) p5-LWP-MediaTypes-6.04 (direct dependency changed: perl5) p5-Net-SSLeay-1.92 (direct dependency changed: perl5) p5-Socket6-0.29 (direct dependency changed: perl5) p5-TimeDate-2.33,1 (direct dependency changed: perl5) Number of packages to be installed: 1 Number of packages to be upgraded: 27 Number of packages to be reinstalled: 14 The process will require 8 MiB more space. 44 MiB to be downloaded. --- pkg info cyrus-sasl | grep Version Version : 2.1.28 pkg info p5-IO-Socket-INET6 | grep Version Version : 2.72_1 --- The vuxml database timestamp indicated the file was up-to-date. In the scenario where Zabbix or Nagios is using `pkg audit` to check for vulnerable packages, it would miss items identified by `pkg upgrade` howeve= r, upon verifying the packages identified by `pkg upgrade`, they do not appear= to be vulnerable. cyrus-sasl: https://vuxml.freebsd.org/freebsd/a80c6273-988c-11ec-83ac-080027415d17.html p5-IO-Socket-INET6 does not exist in https://vuxml.freebsd.org/freebsd/index-pkg.html --=20 You are receiving this mail because: You are the assignee for the bug.=