pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: How to use fetch-pkg-vulnerabilities (says pkg is vulnerable when it's not supposed to be)



Hello Peter,

Peter Lai writes:
> I ran pkg_admin fetch-pkg-vulnerabilities but while trying to build
> lang/python37 make is still showing:
>
> Package python37-3.7.10 has a buffer-overflow vulnerability, see
> https://nvd.nist.gov/vuln/detail/CVE-2021-3177
>
> even though it was fixed per the upstream commit :
>
> bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and \
> ctypes.c_longdouble values.
>
> There are 2 older vulnerabilities that were patched previous to this.
>
> Is pkg vulnerabliities outdated or am I doing something wrong here? I
> have a somewhat complicated networking setup for this host, I have to
> reverse tunnel through a jump host and another proxy and no FTP or
> IPV6 support in order to access the internet to fetch. How do I
> verbose fetch-pkg-vulnerabilities to see that is actually fetching?
> (make fetch works fine with curl progress bar when I manually munge
> MASTER_SITES to accommodate lack of FTP and IPV6).

Nope, `pkg-vulnerabilities' was not updated to reflect that, I have just
updated it per information in
<https://python-security.readthedocs.io/vuln/ftplib-pasv.html>, thank
you for reporting that!


Home | Main Index | Thread Index | Old Index