[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkgsrc is flagging a corrected vulnerability in "jq"
You are right, and "pkg_admin fetch-pkg-vulnerabilities" has removed the warning on 'jq'.
Now, I have another alert on the omiguruma lib, but that's another story...
Thanks for your help!
> Just installed pkgsrc-2019Q2, and I get the following message while trying
> to compile "jq" (/dev/jq):
> $ bmake && bmake install
> => Bootstrap dependency digest>=20010302: found digest-20160304
> ===> Checking for vulnerabilities in jq-1.6
> Package jq-1.6 has a denial-of-service vulnerability, see
> ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in
> pkg_install.conf(5) if this package is absolutely essential.
> *** Error code 1
> However, the CVE link provided:
> points out that this denial-of-service is for jq 1.5, while distinfo (as
> well as the message above) indicate that jq is now version 1.6 in pkgsrc.
> Furthermore, reading the different references of the CVE link points to:
> ... which itself indicates the issue has been fixed in a commit in
> mid-August 2016.
> I think we can safely assume jq 1.6 does not contain the vulnerability
> anymore. I believe the pkgsrc warning should be removed and/or modified to
> reflect these changes.
Yes, jq-1.6 addressed that indeed.
However, checking the corresponding entry in pkg-vulnerabilities (the
file that store this information and is used by pkg_admin(1) to report
jq<1.5nb4 denial-of-service http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
(and indeed the corresponding patch was backported in jq-1.5 in May
I think that this entry was still showed because the
pkg-vulnerabilities file was not updated. Can you please (re)run
`pkg_admin fetch-pkg-vulnerabilities' to update it?
Main Index |
Thread Index |