From nobody Tue Oct 03 19:55:08 2023
X-Original-To: pkg@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0T7d0Pk1z4vwCX
	for <pkg@mlmmj.nyi.freebsd.org>; Tue,  3 Oct 2023 19:55:09 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S0T7c5bLqz4cpB
	for <pkg@FreeBSD.org>; Tue,  3 Oct 2023 19:55:08 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696362908; a=rsa-sha256; cv=none;
	b=xfNHlPy0qPthu83cAXbZCSyeYShQwsLNcCQJSLHCmY9LQzLFpE79CXyQ23vO0ULoGuyHQR
	WNq37y5HdNGdwwuhBE9j+BFWoqjEcn1NXevLl21Di6k0j7j7uhkpTluYU0zBMFRw9zmnjN
	Yn4TzedeZK2XdReefFRB+CfZqFsyHLza9vhQnO9M+wQHUyBCz1CwWenCPMZ0u2hwkFHbOv
	aCHkIstl7Cyr0g8uG64mf47Mlrk0Pq7HtN66ZIhRdA26IQlh5hqQ2ce2AoAOHYl7tD6tXV
	zafpTBENqqSdK02tXE6AfDeTXOdvmVFFyXt4q0dKNWkDpQ4eSXhvdhiFGlD/lw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696362908;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ayrPr7WoD4dXx2NLEkcJlFwcH62A1I0X2HkPZjFEJy4=;
	b=dF6bAsnaxnS6UwPjt10d4pMe9FQBOmUQ+mIybBTybuFe1Ys2RXZzAK0wY/2lvCiL05xIPu
	Oh9tsSG7BOiLJTQrJkZ26p2yqwyaevMlZ/Zdo7zstBPbyEb0rIy6JDx5mkD9fN4HIvszVc
	TRWrXo7pJf5iCJql1WekH39f5cBf+b5t3qPeJSjVglSexBsc4eAB+1yRCx70YCvJamDc9W
	8kq2AzM7KiKmH18cDzgBqcc2/rcU5OlU/E/tul4JpE8FQ1hQBO7zonE9Ppebb8ePqeFGgd
	rxValOEqnaYs4tDFZUh09I4udgYy9c95+NuUiEKoDXtZ5ivs98fIkm2iodHrhg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S0T7c4fvYz173P
	for <pkg@FreeBSD.org>; Tue,  3 Oct 2023 19:55:08 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 393Jt86r083736
	for <pkg@FreeBSD.org>; Tue, 3 Oct 2023 19:55:08 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 393Jt8Uc083735
	for pkg@FreeBSD.org; Tue, 3 Oct 2023 19:55:08 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
From: bugzilla-noreply@freebsd.org
To: pkg@FreeBSD.org
Subject: maintainer-feedback requested: [Bug 274251] ports-mgmt/pkg upgrade
 -v identifies packages not identified by pkg audit -F
Date: Tue, 03 Oct 2023 19:55:08 +0000
X-Bugzilla-Type: request
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: 
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: pkg@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
Message-ID: <bug-274251-32340-WkmIY6euIU@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-274251-32340@https.bugs.freebsd.org/bugzilla/>
References: <bug-274251-32340@https.bugs.freebsd.org/bugzilla/>
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Binary package management and package tools discussion <freebsd-pkg.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pkg
List-Help: <mailto:freebsd-pkg+help@freebsd.org>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Subscribe: <mailto:freebsd-pkg+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-pkg+unsubscribe@freebsd.org>
Sender: owner-freebsd-pkg@freebsd.org
MIME-Version: 1.0

Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-pkg (Nobody)
<pkg@FreeBSD.org> for maintainer-feedback:
Bug 274251: ports-mgmt/pkg upgrade -v identifies packages not identified by=
 pkg
audit -F
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274251



--- Description ---
FreeBSD 13.2-RELEASE-p3
pkg -v 1.20.6

Package audit shows no vulnerabilities using the following command:

  pkg audit -F
  vulnxml file up-to-date
  0 problem(s) in 0 installed package(s) found.

However, using `pkg upgrade -v -n` the output indicates there are two
vulnerable packages:

pkg upgrade -v -n
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
vulnxml file up-to-date
Checking for upgrades (41 candidates): 100%
Processing candidates (41 candidates): 100%
The following 42 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	p5-IO-Socket-IP: 0.42

Installed packages to be UPGRADED:
	bareos-client: 21.0.0 -> 22.0.3
	bash: 5.1.16 -> 5.2.15
	bat: 0.19.0_2 -> 0.23.0_5
	exa: 0.10.1_9 -> 0.10.1_25
	fish: 3.6.0 -> 3.6.1_1
	git: 2.41.0 -> 2.42.0
	icdiff: 2.0.6 -> 2.0.7
	libgit2: 1.3.0 -> 1.6.4
	libidn2: 2.3.3 -> 2.3.4
	libpsl: 0.21.1_5 -> 0.21.2_3
	libunistring: 1.0 -> 1.1
	libxml2: 2.10.4 -> 2.10.4_1
	nginx: 1.20.2_7,2 -> 1.24.0_12,3
	oniguruma: 6.9.7.1 -> 6.9.8_1
	p5-Authen-SASL: 2.16_1 -> 2.17
	p5-Clone: 0.45 -> 0.46
	p5-HTTP-Date: 6.05 -> 6.06
	p5-HTTP-Message: 6.36 -> 6.45
	p5-IO-Socket-SSL: 2.083 -> 2.083_1
	p5-Mozilla-CA: 20221114 -> 20230821
	p5-URI: 5.10 -> 5.21
	pam_ssh_agent_auth: 0.10.4_1 -> 0.10.4_4
	pcre: 8.45_1 -> 8.45_3
	perl5: 5.32.1_3 -> 5.34.1_3
	sudo: 1.9.12p1 -> 1.9.14p3
	vim: 9.0.0379 -> 9.0.1876
	zabbix64-agent: 6.4.4 -> 6.4.7

Installed packages to be REINSTALLED:
	cyrus-sasl-2.1.28 (vulnerability found)
	p5-CGI-4.57 (direct dependency changed: perl5)
	p5-Digest-HMAC-1.04 (direct dependency changed: perl5)
	p5-Encode-Locale-1.05 (direct dependency changed: perl5)
	p5-Error-0.17029 (direct dependency changed: perl5)
	p5-GSSAPI-0.28_2 (direct dependency changed: perl5)
	p5-HTML-Parser-3.81 (direct dependency changed: perl5)
	p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5)
	p5-IO-HTML-1.004 (direct dependency changed: perl5)
	p5-IO-Socket-INET6-2.72_1 (vulnerability found)
	p5-LWP-MediaTypes-6.04 (direct dependency changed: perl5)
	p5-Net-SSLeay-1.92 (direct dependency changed: perl5)
	p5-Socket6-0.29 (direct dependency changed: perl5)
	p5-TimeDate-2.33,1 (direct dependency changed: perl5)

Number of packages to be installed: 1
Number of packages to be upgraded: 27
Number of packages to be reinstalled: 14

The process will require 8 MiB more space.
44 MiB to be downloaded.

---
pkg info cyrus-sasl | grep Version
Version        : 2.1.28

pkg info p5-IO-Socket-INET6 | grep Version
Version        : 2.72_1
---

The vuxml database timestamp indicated the file was up-to-date.

In the scenario where Zabbix or Nagios is using `pkg audit` to check for
vulnerable packages, it would miss items identified by `pkg upgrade` howeve=
r,
upon verifying the packages identified by `pkg upgrade`, they do not appear=
 to
be vulnerable.

cyrus-sasl:
https://vuxml.freebsd.org/freebsd/a80c6273-988c-11ec-83ac-080027415d17.html

p5-IO-Socket-INET6 does not exist in
https://vuxml.freebsd.org/freebsd/index-pkg.html