Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Feb 2022 09:11:34 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 261856] net/xrdp-devel: 0.9.18.1,1 is fixed, isn't it?
Message-ID:  <bug-261856-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D261856

            Bug ID: 261856
           Summary: net/xrdp-devel: 0.9.18.1,1 is fixed, isn't it?
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: meta@FreeBSD.org
          Reporter: Trond.Endrestol@ximalas.info
             Flags: maintainer-feedback?(meta@FreeBSD.org)
          Assignee: meta@FreeBSD.org

I still see net/xrdp-devel 0.9.18.1,1 marked as vulnerable:

root@HOSTNAME:~ # pkg audit -Fr
Fetching vuln.xml.xz: 100%  932 KiB 954.2kB/s    00:01
py38-pillow-8.2.0_1 is vulnerable:
  Pillow -- Regular Expression Denial of Service (ReDoS)
  CVE: CVE-2021-23437
  WWW:
https://vuxml.FreeBSD.org/freebsd/ed8a4215-675c-11ec-8dd4-a0f3c100ae18.html

  Packages that depend on py38-pillow: py38-matplotlib, py38-networkx,
porttree, HOSTNAME-localbase, mono

xrdp-devel-0.9.18.1,1 is vulnerable:
  xrdp -- privilege escalation
  CVE: CVE-2022-23613
  WWW:
https://vuxml.FreeBSD.org/freebsd/fc2a9541-8893-11ec-9d01-80ee73419af3.html

  Packages that depend on xrdp-devel: HOSTNAME-localbase

2 problem(s) in 2 installed package(s) found.
root@HOSTNAME:~ #

According to https://github.com/neutrinolabs/xrdp/releases, 0.9.18.1 is the
current version and also the version where CVE-2022-23613 is fixed.

The two ranges specified for net/xrdp and net/xrdp-devel is what causes the
confusion. Admittedly, there can be a flaw in "pkg audit". I propose to del=
ete
the two ranges indicated below:

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index b820879240b6..38aceff250a0 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -58,12 +58,10 @@
       <package>
        <name>xrdp</name>
        <range><lt>0.9.18.1</lt></range>
-       <range><ge>0.9.17</ge></range>
       </package>
       <package>
        <name>xrdp-devel</name>
        <range><lt>0.9.18.1</lt></range>
-       <range><ge>0.9.17</ge></range>
       </package>

     </affects>

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-261856-7788>