Date: Wed, 23 Jun 2021 18:05:37 +0800 From: Li-Wen Hsu <lwhsu@freebsd.org> To: Kurt Jaeger <pi@freebsd.org> Cc: Andrea Venturoli <ml@netfence.it>, Kubilay Kocak <koobs@freebsd.org>, FreeBSD ports <freebsd-ports@freebsd.org> Subject: Re: www/py-aiohttp vulnerabilities Message-ID: <CAKBkRUys469KDSeO6FJJZ4o_bLEajmzVhzkAca2OSd3=t3v1gg@mail.gmail.com> In-Reply-To: <YNLimK86kKI3693B@home.opsec.eu> References: <3c438d98-6c84-caf1-cfe9-45bf2b0527bf@netfence.it> <YNLimK86kKI3693B@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 23, 2021 at 3:29 PM Kurt Jaeger <pi@freebsd.org> wrote: > > Hi! > > > pkg audit complains that > > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable: > > > aiohttp -- open redirect vulnerability > > > CVE: CVE-2021-21330 > > > WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html > > > > > > 1 problem(s) found. > > > > However, AFAICT following the link, this CVE was fixed in 3.7.4. > > Is this version vulnerable or not? > > > > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC, > > looks like answer is no. > > Is then something wrong with my audit database? > > From reading the ticket it's probably a problem of the > PORTVERSION -- there's some ordering assumption, which causes > 3.7.4 to be newer than 3.7.4.post0. I think this fies/workaround the issue: https://cgit.freebsd.org/ports/commit/?id=f3e4dbcb5ff2fe2a018f78f396a4247f1dd32cc9 I changed the affected version from < 3.7.4 to <= 3.7.3. Now both 3.7.4 and 3.7.4.p0 (3.7.4.post0) are not affected. Although in ports' version 3.7.4 is newer than 3.7.4.p0, we don't have 3.7.4 in the history of www/py-aiohttp so no PORTEPOCH is needed. Best, Li-Wen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKBkRUys469KDSeO6FJJZ4o_bLEajmzVhzkAca2OSd3=t3v1gg>