pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkgsrc is flagging a corrected vulnerability in "jq"


Just installed pkgsrc-2019Q2, and I get the following message while trying to compile "jq" (/dev/jq):

$ bmake && bmake install
=> Bootstrap dependency digest>=20010302: found digest-20160304
===> Checking for vulnerabilities in jq-1.6
Package jq-1.6 has a denial-of-service vulnerability, see
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutely essential.
*** Error code 1

However, the CVE link provided:
points out that this denial-of-service is for jq 1.5, while distinfo (as well as the message above) indicate that jq is now version 1.6 in pkgsrc.

Furthermore, reading the different references of the CVE link points to:

... which itself indicates the issue has been fixed in a commit in mid-August 2016.

I think we can safely assume jq 1.6 does not contain the vulnerability anymore. I believe the pkgsrc warning should be removed and/or modified to reflect these changes.

Home | Main Index | Thread Index | Old Index