Site Navigation

Date:      Thu, 12 Oct 2023 22:44:14 -0400
From:      "Dan Langille" <dan@langille.org>
To:        "Sunpoet Po-Chuan Hsieh" <sunpoet@FreeBSD.org>, ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   Re: git: c06e206dffd4 - main - security/vuxml: Fix  bca498407bf9e529936ebb68e9ca257bdd1428de
Message-ID:  <9c707b4a-f8ee-4206-a935-5bc87409dfe9@app.fastmail.com>
In-Reply-To: <202310112223.39BMNY2Y092294@gitrepo.freebsd.org>
References:  <202310112223.39BMNY2Y092294@gitrepo.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Wed, Oct 11, 2023, at 6:23 PM, Po-Chuan Hsieh wrote:
> The branch main has been updated by sunpoet:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=c06e206dffd44ca562f86fbf55c06e361881bf47
>
> commit c06e206dffd44ca562f86fbf55c06e361881bf47
> Author:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
> AuthorDate: 2023-10-11 22:22:51 +0000
> Commit:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
> CommitDate: 2023-10-11 22:22:51 +0000
>
>     security/vuxml: Fix bca498407bf9e529936ebb68e9ca257bdd1428de
>    
>     The pkg audit result before the fix:
>     curl-8.4.0 is vulnerable:
>       curl -- SOCKS5 heap buffer overflow
>       CVE: CVE-2023-38545
>       WWW: 
> https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html
>    
>     1 problem(s) in 1 installed package(s) found.
> ---
>  security/vuxml/vuln/2023.xml | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index d2b1be12644f..db04c1b9498f 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -3,8 +3,7 @@
>      <affects>
>        <package>
>  	<name>curl</name>
> -	<range><gt>7.69.0</gt></range>
> -	<range><lt>8.4.0</lt></range>
> +	<range><gt>7.69.0</gt><lt>8.4.0</lt></range>

FreshPorts agrees with this change in that it no longer lists 8.4.0 as vuln

However, my hosts are still getting:

[2:42 dns1 dan ~] % sudo pkg audit -F
vulnxml file up-to-date
curl-8.4.0 is vulnerable:
  curl -- SOCKS5 heap buffer overflow
  CVE: CVE-2023-38545
  WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html

1 problem(s) in 1 installed package(s) found.

What do I need to do in order to propagate that fix?

Thank you.

>        </package>
>      </affects>
>      <description>
> @@ -35,6 +34,7 @@
>      <dates>
>        <discovery>2023-09-30</discovery>
>        <entry>2023-10-11</entry>
> +      <modified>2023-10-11</modified>
>      </dates>
>    </vuln>

-- 
  Dan Langille
  dan@langille.org

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c707b4a-f8ee-4206-a935-5bc87409dfe9>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact