From nobody Wed Jun 23 10:05:37 2021 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1563A11D64CF for ; Wed, 23 Jun 2021 10:05:49 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G8zRd0455z3vkg; Wed, 23 Jun 2021 10:05:49 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: lwhsu/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id D6CFC2520D; Wed, 23 Jun 2021 10:05:48 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: by mail-qk1-f176.google.com with SMTP id g4so3743089qkl.1; Wed, 23 Jun 2021 03:05:48 -0700 (PDT) X-Gm-Message-State: AOAM533/WmDSudxfKplO7kz960w8p7sra1B/2XIAIEiVzLUbpc102EE2 eocDtydZLxTeXbJA/CoHu6aNKAc3scfZLXH1rg8= X-Google-Smtp-Source: ABdhPJyuvnKAie+jTfHCN7UUMS52vTwDZnKzvD+IFNke/MqPWCU+rMtSExLhY6RMAUwkikN+Z9fUWFIE0dxAO86T9yg= X-Received: by 2002:a25:580a:: with SMTP id m10mr3101538ybb.127.1624442748377; Wed, 23 Jun 2021 03:05:48 -0700 (PDT) List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 References: <3c438d98-6c84-caf1-cfe9-45bf2b0527bf@netfence.it> In-Reply-To: From: Li-Wen Hsu Date: Wed, 23 Jun 2021 18:05:37 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: www/py-aiohttp vulnerabilities To: Kurt Jaeger Cc: Andrea Venturoli , Kubilay Kocak , FreeBSD ports Content-Type: text/plain; charset="UTF-8" X-ThisMailContainsUnwantedMimeParts: N On Wed, Jun 23, 2021 at 3:29 PM Kurt Jaeger wrote: > > Hi! > > > pkg audit complains that > > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable: > > > aiohttp -- open redirect vulnerability > > > CVE: CVE-2021-21330 > > > WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html > > > > > > 1 problem(s) found. > > > > However, AFAICT following the link, this CVE was fixed in 3.7.4. > > Is this version vulnerable or not? > > > > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC, > > looks like answer is no. > > Is then something wrong with my audit database? > > From reading the ticket it's probably a problem of the > PORTVERSION -- there's some ordering assumption, which causes > 3.7.4 to be newer than 3.7.4.post0. I think this fies/workaround the issue: https://cgit.freebsd.org/ports/commit/?id=f3e4dbcb5ff2fe2a018f78f396a4247f1dd32cc9 I changed the affected version from < 3.7.4 to <= 3.7.3. Now both 3.7.4 and 3.7.4.p0 (3.7.4.post0) are not affected. Although in ports' version 3.7.4 is newer than 3.7.4.p0, we don't have 3.7.4 in the history of www/py-aiohttp so no PORTEPOCH is needed. Best, Li-Wen