[Bug 281837] Handbook "CentOS Base System from FreeBSD Packages" recommends deprecated packages

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 281837] Handbook "CentOS Base System from FreeBSD Packages" recommends deprecated packages"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 07 Oct 2024 17:14:14 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281837

--- Comment #12 from Sean McBride <sean@rogue-research.com> ---
Fernando, I don't know where or how or who marked it deprecated.

1) it shows as deprecated on freshports:
https://www.freshports.org/emulators/linux_base-c7/

2) running `pkg update/upgrade` the other day I got the following output:

```
Message from linux_base-c7-7.9.2009_3:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

CentOS Linux 7 reached end of life (EOL) on June 30, 2024.
=====
Message from linux-c7-devtools-7.9.2009_3:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:
```

3) running `pkg audit` just now and I get things like:

```
  libsndfile -- out-of-bounds read memory access
  CVE: CVE-2017-6892
  WWW:
https://vuxml.FreeBSD.org/freebsd/004debf9-1d16-11e8-b6aa-4ccc6adda413.html

  libsndfile -- multiple vulnerabilities
  CVE: CVE-2017-14634
  CVE: CVE-2017-12562
  CVE: CVE-2017-8365
  CVE: CVE-2017-8363
  CVE: CVE-2017-8362
  CVE: CVE-2017-8361
  WWW:
https://vuxml.FreeBSD.org/freebsd/2b386075-1d9c-11e8-b6aa-4ccc6adda413.html

  libsndfile -- out-of-bounds reads
  CVE: CVE-2017-17457
  CVE: CVE-2017-17456
  CVE: CVE-2017-14246
  CVE: CVE-2017-14245
  WWW:
https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html

  libsndfile -- multiple vulnerabilities
  CVE: CVE-2017-7742
  CVE: CVE-2017-7741
  CVE: CVE-2017-7586
  CVE: CVE-2017-7585
  WWW:
https://vuxml.FreeBSD.org/freebsd/5a97805e-93ef-4dcb-8d5e-dbcac263bfc2.html

linux-c7-nettle-2.7.1_1 is vulnerable:
  nettle 3.7.2 -- fix serious ECDSA signature verify bug
  WWW:
https://vuxml.FreeBSD.org/freebsd/80f9dbd3-8eec-11eb-b9e8-3525f51429a0.html

linux-c7-sqlite-3.7.17_2 is vulnerable:
  sqlite -- use-after-free bug in jsonparseaddnodearray
  CVE: CVE-2024-0232
  WWW:
https://vuxml.FreeBSD.org/freebsd/42ec2207-7e85-11ef-89a4-b42e991fc52e.html

```

If freshports can be trusted, these ports are not getting updates, not even
security updates.

So again: it seems to me the Handbook should really not be suggesting their
use.

-- 
You are receiving this mail because:
You are the assignee for the bug.