Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)

To: Peter Lai <cowbert%gmail.com@localhost>
Subject: Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
From: Leonardo Taccari <leot%NetBSD.org@localhost>
Date: Thu, 18 Mar 2021 21:25:20 +0100

Hello Peter,

Peter Lai writes:
> I ran pkg_admin fetch-pkg-vulnerabilities but while trying to build
> lang/python37 make is still showing:
>
> Package python37-3.7.10 has a buffer-overflow vulnerability, see
> https://nvd.nist.gov/vuln/detail/CVE-2021-3177
>
> even though it was fixed per the upstream commit :
>
> bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and \
> ctypes.c_longdouble values.
>
> There are 2 older vulnerabilities that were patched previous to this.
>
> Is pkg vulnerabliities outdated or am I doing something wrong here? I
> have a somewhat complicated networking setup for this host, I have to
> reverse tunnel through a jump host and another proxy and no FTP or
> IPV6 support in order to access the internet to fetch. How do I
> verbose fetch-pkg-vulnerabilities to see that is actually fetching?
> (make fetch works fine with curl progress bar when I manually munge
> MASTER_SITES to accommodate lack of FTP and IPV6).

Nope, `pkg-vulnerabilities' was not updated to reflect that, I have just
updated it per information in
<https://python-security.readthedocs.io/vuln/ftplib-pasv.html>, thank
you for reporting that!

References:
- How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
  - From: Peter Lai

Prev by Date: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
Next by Date: seamonkey
Previous by Thread: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)
Next by Thread: seamonkey
Indexes:

Home | Main Index | Thread Index | Old Index