How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)

To: Pkgsrc Users <pkgsrc-users%netbsd.org@localhost>
Subject: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
From: Peter Lai <cowbert%gmail.com@localhost>
Date: Thu, 18 Mar 2021 14:46:38 -0400

I ran pkg_admin fetch-pkg-vulnerabilities but while trying to build
lang/python37 make is still showing:

Package python37-3.7.10 has a buffer-overflow vulnerability, see
https://nvd.nist.gov/vuln/detail/CVE-2021-3177

even though it was fixed per the upstream commit :

bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and \
ctypes.c_longdouble values.

There are 2 older vulnerabilities that were patched previous to this.

Is pkg vulnerabliities outdated or am I doing something wrong here? I
have a somewhat complicated networking setup for this host, I have to
reverse tunnel through a jump host and another proxy and no FTP or
IPV6 support in order to access the internet to fetch. How do I
verbose fetch-pkg-vulnerabilities to see that is actually fetching?
(make fetch works fine with curl progress bar when I manually munge
MASTER_SITES to accommodate lack of FTP and IPV6).

Follow-Ups:
- Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
  - From: Leonardo Taccari

Prev by Date: Re: enable icu support by default in libxml2
Next by Date: Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
Previous by Thread: pkgsrc freeze for 2021Q1
Next by Thread: Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
Indexes:

Home | Main Index | Thread Index | Old Index