Updating libxml2 in poudriere jail

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Simon Wright <simon.wright_at_gmx.net>
Date: Mon, 08 May 2023 01:36:45 UTC
Hi all,

I am using poudriere to build a small selection of posts with
non-default options. This is working fine, however for the daily
security run on the VM that runs poudriere, I am seeing this warning:

=======================
Checking for security vulnerabilities in base (userland & kernel):
Database fetched: Sun May  7 03:40:24 PST 2023
0 problem(s) in 0 installed package(s) found.
0 problem(s) in 0 installed package(s) found.
portaudit for jails on vmserver04 - 2 problem(s) found.

portaudit for jail: pkg.home.santos-wright.net (JID: 10)

libxml2-2.10.3_2 (textproc/libxml2) is vulnerable:
   libxml2 -- multiple vulnerabilities
   CVE: CVE-2023-29469
   CVE: CVE-2023-28484
   WWW:
https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html

1 problem(s) found.

portaudit for jail: pkg.home.santos-wright.net (JID: 8)

libxml2-2.10.3_2 (textproc/libxml2) is vulnerable:
   libxml2 -- multiple vulnerabilities
   CVE: CVE-2023-29469
   CVE: CVE-2023-28484
   WWW:
https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html

1 problem(s) found.

======================

I have tried updating the jail which works but finds no updates since it
is already on the latest security release:

[user /etc/periodic/daily]$ sudo poudriere jail -j FreeBSD:13:amd64 -u
[sudo] Enter user's password:
[00:00:00] Upgrading using ftp
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org...
done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 13.2-RELEASE-p0.
13.2-RELEASE
[00:00:10] Recording filesystem state for clean... done

======================

I've tried manually starting the jail, installing pkg and updating
libxml2 which works but on restarting the jail, it has as expected
reverted to the vulnerable version of libxml2.

Can anyone point me in the right direction to eliminate the error
message on the daily security scan? Or can I remove this package from
the jail?

Thanks,

Simon.