Hi. We skip some important information about security vulnerabilities if port epoch > 1. For example: server1# pkg audit nginx-1.20.0_2,1 nginx-1.20.0_2,1 is vulnerable: ........ Works well. But if we change the epoch to 2: server1# pkg audit nginx-1.20.0_2,2 0 problem(s) in 0 installed package(s) found. The nginx port is currently at epoch 2.
% pkg audit nginx-1.20.0_2,2 nginx-1.20.0_2,2 is vulnerable: NGINX -- 1-byte memory overwrite in resolver CVE: CVE-2021-23017 WWW: https://vuxml.FreeBSD.org/freebsd/0882f019-bd60-11eb-9bdd-8c164567ca3c.html 1 problem(s) in 1 installed package(s) found. I suspect your vuln.xml file is/was out of date. This was fixed in c2a2f2b35ad4: https://cgit.freebsd.org/ports/commit/?id=c2a2f2b35ad4 Note that because of a syntax error introduced in c7737d4b2e5d on 2021-06-10, the vuln.xml file has not been updated until approximately an hour ago. The build was fixed in 46119dd553f1: https://cgit.freebsd.org/ports/commit/?id=46119dd553f18833b20a76623029a24dd4948c58 See also #256789