Date: Wed, 23 Jun 2021 09:28:24 +0200 From: Kurt Jaeger <pi@freebsd.org> To: Andrea Venturoli <ml@netfence.it> Cc: koobs@freebsd.org, freebsd-ports@freebsd.org Subject: Re: www/py-aiohttp vulnerabilities Message-ID: <YNLimK86kKI3693B@home.opsec.eu> In-Reply-To: <3c438d98-6c84-caf1-cfe9-45bf2b0527bf@netfence.it> References: <3c438d98-6c84-caf1-cfe9-45bf2b0527bf@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > pkg audit complains that > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable: > > aiohttp -- open redirect vulnerability > > CVE: CVE-2021-21330 > > WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html > > > > 1 problem(s) found. > > However, AFAICT following the link, this CVE was fixed in 3.7.4. > Is this version vulnerable or not? > > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC, > looks like answer is no. > Is then something wrong with my audit database? >From reading the ticket it's probably a problem of the PORTVERSION -- there's some ordering assumption, which causes 3.7.4 to be newer than 3.7.4.post0. -- pi@opsec.eu +49 171 3101372 Now what ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YNLimK86kKI3693B>