Bug 256236 - ports-mgmt/pkg: audit command didn't work properly with port epoch
Summary: ports-mgmt/pkg: audit command didn't work properly with port epoch
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-pkg (Nobody)
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-05-29 08:00 UTC by Kirill
Modified: 2021-06-24 11:22 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (pkg)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kirill 2021-05-29 08:00:53 UTC
Hi.

We skip some important information about security vulnerabilities if port epoch > 1.

For example:

server1# pkg audit nginx-1.20.0_2,1
nginx-1.20.0_2,1 is vulnerable:
........


Works well. But if we change the epoch to 2:


server1# pkg audit nginx-1.20.0_2,2
0 problem(s) in 0 installed package(s) found.


The nginx port is currently at epoch 2.
Comment 1 Philip Paeps freebsd_committer freebsd_triage 2021-06-24 11:22:01 UTC
% pkg audit nginx-1.20.0_2,2
nginx-1.20.0_2,2 is vulnerable:
  NGINX -- 1-byte memory overwrite in resolver
  CVE: CVE-2021-23017
  WWW: https://vuxml.FreeBSD.org/freebsd/0882f019-bd60-11eb-9bdd-8c164567ca3c.html

1 problem(s) in 1 installed package(s) found.

I suspect your vuln.xml file is/was out of date.  This was fixed in c2a2f2b35ad4:
https://cgit.freebsd.org/ports/commit/?id=c2a2f2b35ad4

Note that because of a syntax error introduced in c7737d4b2e5d on 2021-06-10, the vuln.xml file has not been updated until approximately an hour ago.  The build was fixed in 46119dd553f1:
https://cgit.freebsd.org/ports/commit/?id=46119dd553f18833b20a76623029a24dd4948c58

See also #256789