274251 – ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F

Bug 274251 - ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F

Summary: ports-mgmt/pkg upgrade -v identifies packages not identified by pkg audit -F

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-pkg (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-03 19:55 UTC by Ryan
Modified:	2023-10-03 22:47 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (pkg)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan 2023-10-03 19:55:08 UTC

FreeBSD 13.2-RELEASE-p3
pkg -v 1.20.6

Package audit shows no vulnerabilities using the following command:

  pkg audit -F
  vulnxml file up-to-date
  0 problem(s) in 0 installed package(s) found.

However, using `pkg upgrade -v -n` the output indicates there are two vulnerable packages:

pkg upgrade -v -n
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
vulnxml file up-to-date
Checking for upgrades (41 candidates): 100%
Processing candidates (41 candidates): 100%
The following 42 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	p5-IO-Socket-IP: 0.42

Installed packages to be UPGRADED:
	bareos-client: 21.0.0 -> 22.0.3
	bash: 5.1.16 -> 5.2.15
	bat: 0.19.0_2 -> 0.23.0_5
	exa: 0.10.1_9 -> 0.10.1_25
	fish: 3.6.0 -> 3.6.1_1
	git: 2.41.0 -> 2.42.0
	icdiff: 2.0.6 -> 2.0.7
	libgit2: 1.3.0 -> 1.6.4
	libidn2: 2.3.3 -> 2.3.4
	libpsl: 0.21.1_5 -> 0.21.2_3
	libunistring: 1.0 -> 1.1
	libxml2: 2.10.4 -> 2.10.4_1
	nginx: 1.20.2_7,2 -> 1.24.0_12,3
	oniguruma: 6.9.7.1 -> 6.9.8_1
	p5-Authen-SASL: 2.16_1 -> 2.17
	p5-Clone: 0.45 -> 0.46
	p5-HTTP-Date: 6.05 -> 6.06
	p5-HTTP-Message: 6.36 -> 6.45
	p5-IO-Socket-SSL: 2.083 -> 2.083_1
	p5-Mozilla-CA: 20221114 -> 20230821
	p5-URI: 5.10 -> 5.21
	pam_ssh_agent_auth: 0.10.4_1 -> 0.10.4_4
	pcre: 8.45_1 -> 8.45_3
	perl5: 5.32.1_3 -> 5.34.1_3
	sudo: 1.9.12p1 -> 1.9.14p3
	vim: 9.0.0379 -> 9.0.1876
	zabbix64-agent: 6.4.4 -> 6.4.7

Installed packages to be REINSTALLED:
	cyrus-sasl-2.1.28 (vulnerability found)
	p5-CGI-4.57 (direct dependency changed: perl5)
	p5-Digest-HMAC-1.04 (direct dependency changed: perl5)
	p5-Encode-Locale-1.05 (direct dependency changed: perl5)
	p5-Error-0.17029 (direct dependency changed: perl5)
	p5-GSSAPI-0.28_2 (direct dependency changed: perl5)
	p5-HTML-Parser-3.81 (direct dependency changed: perl5)
	p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5)
	p5-IO-HTML-1.004 (direct dependency changed: perl5)
	p5-IO-Socket-INET6-2.72_1 (vulnerability found)
	p5-LWP-MediaTypes-6.04 (direct dependency changed: perl5)
	p5-Net-SSLeay-1.92 (direct dependency changed: perl5)
	p5-Socket6-0.29 (direct dependency changed: perl5)
	p5-TimeDate-2.33,1 (direct dependency changed: perl5)

Number of packages to be installed: 1
Number of packages to be upgraded: 27
Number of packages to be reinstalled: 14

The process will require 8 MiB more space.
44 MiB to be downloaded.

---
pkg info cyrus-sasl | grep Version
Version        : 2.1.28

pkg info p5-IO-Socket-INET6 | grep Version
Version        : 2.72_1
---

The vuxml database timestamp indicated the file was up-to-date.

In the scenario where Zabbix or Nagios is using `pkg audit` to check for vulnerable packages, it would miss items identified by `pkg upgrade` however, upon verifying the packages identified by `pkg upgrade`, they do not appear to be vulnerable.

cyrus-sasl: https://vuxml.freebsd.org/freebsd/a80c6273-988c-11ec-83ac-080027415d17.html

p5-IO-Socket-INET6 does not exist in https://vuxml.freebsd.org/freebsd/index-pkg.html