Date: Tue, 03 Oct 2023 19:55:08 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 274251] ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F Message-ID: <bug-274251-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274251 Bug ID: 274251 Summary: ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: pkg@FreeBSD.org Reporter: freebsd@haraschak.com Flags: maintainer-feedback?(pkg@FreeBSD.org) Assignee: pkg@FreeBSD.org FreeBSD 13.2-RELEASE-p3 pkg -v 1.20.6 Package audit shows no vulnerabilities using the following command: pkg audit -F vulnxml file up-to-date 0 problem(s) in 0 installed package(s) found. However, using `pkg upgrade -v -n` the output indicates there are two vulnerable packages: pkg upgrade -v -n Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. vulnxml file up-to-date Checking for upgrades (41 candidates): 100% Processing candidates (41 candidates): 100% The following 42 package(s) will be affected (of 0 checked): New packages to be INSTALLED: p5-IO-Socket-IP: 0.42 Installed packages to be UPGRADED: bareos-client: 21.0.0 -> 22.0.3 bash: 5.1.16 -> 5.2.15 bat: 0.19.0_2 -> 0.23.0_5 exa: 0.10.1_9 -> 0.10.1_25 fish: 3.6.0 -> 3.6.1_1 git: 2.41.0 -> 2.42.0 icdiff: 2.0.6 -> 2.0.7 libgit2: 1.3.0 -> 1.6.4 libidn2: 2.3.3 -> 2.3.4 libpsl: 0.21.1_5 -> 0.21.2_3 libunistring: 1.0 -> 1.1 libxml2: 2.10.4 -> 2.10.4_1 nginx: 1.20.2_7,2 -> 1.24.0_12,3 oniguruma: 6.9.7.1 -> 6.9.8_1 p5-Authen-SASL: 2.16_1 -> 2.17 p5-Clone: 0.45 -> 0.46 p5-HTTP-Date: 6.05 -> 6.06 p5-HTTP-Message: 6.36 -> 6.45 p5-IO-Socket-SSL: 2.083 -> 2.083_1 p5-Mozilla-CA: 20221114 -> 20230821 p5-URI: 5.10 -> 5.21 pam_ssh_agent_auth: 0.10.4_1 -> 0.10.4_4 pcre: 8.45_1 -> 8.45_3 perl5: 5.32.1_3 -> 5.34.1_3 sudo: 1.9.12p1 -> 1.9.14p3 vim: 9.0.0379 -> 9.0.1876 zabbix64-agent: 6.4.4 -> 6.4.7 Installed packages to be REINSTALLED: cyrus-sasl-2.1.28 (vulnerability found) p5-CGI-4.57 (direct dependency changed: perl5) p5-Digest-HMAC-1.04 (direct dependency changed: perl5) p5-Encode-Locale-1.05 (direct dependency changed: perl5) p5-Error-0.17029 (direct dependency changed: perl5) p5-GSSAPI-0.28_2 (direct dependency changed: perl5) p5-HTML-Parser-3.81 (direct dependency changed: perl5) p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5) p5-IO-HTML-1.004 (direct dependency changed: perl5) p5-IO-Socket-INET6-2.72_1 (vulnerability found) p5-LWP-MediaTypes-6.04 (direct dependency changed: perl5) p5-Net-SSLeay-1.92 (direct dependency changed: perl5) p5-Socket6-0.29 (direct dependency changed: perl5) p5-TimeDate-2.33,1 (direct dependency changed: perl5) Number of packages to be installed: 1 Number of packages to be upgraded: 27 Number of packages to be reinstalled: 14 The process will require 8 MiB more space. 44 MiB to be downloaded. --- pkg info cyrus-sasl | grep Version Version : 2.1.28 pkg info p5-IO-Socket-INET6 | grep Version Version : 2.72_1 --- The vuxml database timestamp indicated the file was up-to-date. In the scenario where Zabbix or Nagios is using `pkg audit` to check for vulnerable packages, it would miss items identified by `pkg upgrade` howeve= r, upon verifying the packages identified by `pkg upgrade`, they do not appear= to be vulnerable. cyrus-sasl: https://vuxml.freebsd.org/freebsd/a80c6273-988c-11ec-83ac-080027415d17.html p5-IO-Socket-INET6 does not exist in https://vuxml.freebsd.org/freebsd/index-pkg.html --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274251-7788>