pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)



I ran pkg_admin fetch-pkg-vulnerabilities but while trying to build
lang/python37 make is still showing:

Package python37-3.7.10 has a buffer-overflow vulnerability, see
https://nvd.nist.gov/vuln/detail/CVE-2021-3177

even though it was fixed per the upstream commit :

bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and \
ctypes.c_longdouble values.

There are 2 older vulnerabilities that were patched previous to this.

Is pkg vulnerabliities outdated or am I doing something wrong here? I
have a somewhat complicated networking setup for this host, I have to
reverse tunnel through a jump host and another proxy and no FTP or
IPV6 support in order to access the internet to fetch. How do I
verbose fetch-pkg-vulnerabilities to see that is actually fetching?
(make fetch works fine with curl progress bar when I manually munge
MASTER_SITES to accommodate lack of FTP and IPV6).


Home | Main Index | Thread Index | Old Index