Re: www/py-aiohttp vulnerabilities

Reply: Li-Wen Hsu : "Re: www/py-aiohttp vulnerabilities"
In reply to: Andrea Venturoli : "www/py-aiohttp vulnerabilities"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kurt Jaeger <pi_at_freebsd.org>
Date: Wed, 23 Jun 2021 07:28:24 UTC

Hi!

> pkg audit complains that
> > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable:
> >   aiohttp -- open redirect vulnerability
> >   CVE: CVE-2021-21330
> >   WWW: https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html
> > 
> > 1 problem(s) found.
> 
> However, AFAICT following the link, this CVE was fixed in 3.7.4.
> Is this version vulnerable or not?
> 
> Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC,
> looks like answer is no.
> Is then something wrong with my audit database?

From reading the ticket it's probably a problem of the
PORTVERSION -- there's some ordering assumption, which causes
3.7.4 to be newer than 3.7.4.post0.

-- 
pi@opsec.eu            +49 171 3101372                    Now what ?