Bug 256236

Summary: ports-mgmt/pkg: audit command didn't work properly with port epoch
Product: Ports & Packages Reporter: Kirill <kirill>
Component: Individual Port(s)Assignee: freebsd-pkg (Nobody) <pkg>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: philip
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (pkg)
Hardware: Any   
OS: Any   

Description Kirill 2021-05-29 08:00:53 UTC

We skip some important information about security vulnerabilities if port epoch > 1.

For example:

server1# pkg audit nginx-1.20.0_2,1
nginx-1.20.0_2,1 is vulnerable:

Works well. But if we change the epoch to 2:

server1# pkg audit nginx-1.20.0_2,2
0 problem(s) in 0 installed package(s) found.

The nginx port is currently at epoch 2.
Comment 1 Philip Paeps freebsd_committer 2021-06-24 11:22:01 UTC
% pkg audit nginx-1.20.0_2,2
nginx-1.20.0_2,2 is vulnerable:
  NGINX -- 1-byte memory overwrite in resolver
  CVE: CVE-2021-23017
  WWW: https://vuxml.FreeBSD.org/freebsd/0882f019-bd60-11eb-9bdd-8c164567ca3c.html

1 problem(s) in 1 installed package(s) found.

I suspect your vuln.xml file is/was out of date.  This was fixed in c2a2f2b35ad4:

Note that because of a syntax error introduced in c7737d4b2e5d on 2021-06-10, the vuln.xml file has not been updated until approximately an hour ago.  The build was fixed in 46119dd553f1:

See also #256789