From nobody Mon May 08 04:40:13 2023 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QF7rY2dqRz49KRX for ; Mon, 8 May 2023 04:40:29 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic315-8.consmr.mail.gq1.yahoo.com (sonic315-8.consmr.mail.gq1.yahoo.com [98.137.65.32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4QF7rW5GhSz4N30 for ; Mon, 8 May 2023 04:40:27 +0000 (UTC) (envelope-from marklmi@yahoo.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b=RsLjzeG7; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.65.32 as permitted sender) smtp.mailfrom=marklmi@yahoo.com; dmarc=pass (policy=reject) header.from=yahoo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1683520825; bh=I3UCQCWhX4ZGy8J8a7EYQuAtJmwRGg6tR/CWytjvvT8=; h=From:Subject:Date:To:References:From:Subject:Reply-To; b=RsLjzeG773FNynPZIy9wfO6/kSLCTVoJea0B+csibc/Y8JQMRJaxvOg2jl48m1VS0bPvQmnM6+LjCDP/455R7i7W+IPRAg/nK4Cuw8+PUMMvsM6K9zCurPt0Gzg2EiC97Oj9CXh4heQXXGtkSD0fnl8FYAdZndF+9q7HItmdYsIh2AzJoTTATCNS308sRMwwd2yIGMj65p794g0EgoN1+3w+xAxRqZMD1NWNXx9/VUkMxH4q9xCuVo6iNO8riqBTz3EAGOhg6WyqZ1luaUDKylaWNifRydS4F0qXUpDW+sqyft0n3CpKhkBk7HCu/qnMOTe/YaKO1r3T6hH87DkXSw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1683520825; bh=9it4L8rWVJ5frH6Rfwi/4/Ua88sFDBNp1Y8a4q1aKoi=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=Ns0BR24VoOO0+glAqyniXZehxPVq1+Z2qKbA4rxywP7AWTDkuTSCD+ZICGdyms7ZeKYzsnrTWRGH9WNUykmXt4jGVZepUSowvD/tEQqY/ze5pShheXQGF1PKY4FAgYYTAaLGq6HauKTaYTgoHz+rlX+zbCj2ZLTxaVqO3Umwcm1CM1z8j1WNiA0LdZ5erxmJ0aY1c26Wt0c54jP0KYt3KKBqWvQ3M2Qy0/UDUJg3Tb342Fzxs7uE+cepckn3HQ/HKqE+eiPiTmWZrui7CjXx/hAfFlAP98o4OViTXe9kkZR1vDpRgjCnjxbexC/zlNiiN9ED3RC9jGnY/X/op6RLhQ== X-YMail-OSG: J1XTuZoVM1n31.k.64Skfaa4Y1LqYv1wUGE.u8prEZIfs8vnjLUdnVVEUR0NDsI 6mk6OVHuY4Pb680imjI.daXDcpHlD1wICqnXrtikeD4HGDwcfsXDxTncmyoSmIf.AUMuwUwMswN2 U1iKsErp6PXSYT3Qrxy9c_W3Rnvkwin9tBIaGSIjVqp7LQTeF7MwC1ypMD8saOuChDsjJY81Rl8E GY3WeAHV6Sp0XldpdShLTxRMvfYvb1WJRVXuj2gsG6v_uC4rL.tbBssIiZt.Sn1lJ4xTiadj74y1 dds0F5loI9pl14_9eTCq35c3SG5gQANlvAA5LoJboVwTYltzdSkl1u2PAwePUcOpUOg2WDdwvLsn XPOFBaCtbJeek76_nTfCUarcVR7KNyYlrW4tVJ0DkwZu3VbbVqiAzYS2ENmzvC9cyAGdMOtJ7jtw 90LeEh.3fd7trluSqH82Agv8rg3fF81W4k1x4U4azz4lCt48padlOqaoNEHt0P_U5HBKfoJ4u1HV KLJAOeiAJsgTNws6SwS7YDgKl94fhzswmhiRLWxf.IntegioPG8ZRF36GzevJuPqtkY9YZvcabM1 D_Im3r7LQqmgZjIvEezrQF7p7l95LQ6IJDYippwaVR4ybEiV_qPRefo03guWCs7ORNSXrU3ttMPb 3B5puLuATv9JcL71TSdKB1muXKmpUD9SGJG0GpMJB7sClPdQitqv2vTapcX7fgoB._f2lBno9aJa .OLuIcRoWN5eoo97yV7wgmtqNne28649767.1KTV3BaqR0lp20ziQD098yN6bupZND1S6Qw6VoUr dYRkABpAJ4pp3SbWX3BfQqV_r3k20PkGs1H5.qw19cvwjtrswXlGLqRrgHufMRq_K5pPfDWo9_BP MQlnCd5oJKc1MFB6zHobJf9qRY0_P0MdHRfdwwRLosma7n_DPnLg0N8xcGD.gmccT5l91OEvtvhW g4JwdM4aMxR25oLhJr6OFt3GATvRSlBw6WA.wTeqCrSw57SDCVrQTZrdIuZNFTqWZXMyi0da5cKx baaGM2caIeLZaW7uywoPw.YQP9CDCv7n2rfYVPWIhCIjVd.lkY3cPDse7YrAHvX2c62hSfcIFNNO LFzra8kglYMghRphsytqWC5GOx582rMBuCfjHmCwsNmvzy1Z2Cxa.0Y_3H0vyTe_x0rYuywybrHj LFW9BCWJ68QxWeilzJXpiEi5G5WF_A6uJnPqZN4i5HWnrCHp8BDN38Kg1cwgC8nlaXyEC_hrRNwT 6lYs0cN3LjOMGk2Q5a05z5BaeaWqUFD2YFmPtqhCJ6qCXuNyhAMcPKhxWTZOvYwLgbPjz49Klw4z j46yNEQkhq3jXDgJPCGdJnySd8evt.Ilao.UP8HyBhSQEF.DvQexKoHWeWRp7onCORrMXUUNzsd2 N.i7AQfHNpbLhzuawMmMQ2ZsscY8Imq1M1DjftvE4s3mrtXlY3SdegdiKSIYmo1rqBrzlB_cSXED 6jCHqc6Y6xrvEFf4GlXBAyXBip1SsWpr1kbCgwt6mFZAwY59trG09AXnIJGHymJnhmQ_iSmuv8bW OOfS6KGrraTJ5HrRWVOyukytgHi70uq8WhEcU0r7G3KXoxQlh4zYzFYDpQMis_riBUHYdpWCPpnu r20YvmI7Nj_CvwY705D.9k1foJ2Nlr0J7Lc03xqKIYxWZIT9Nz5wLsbxLwcy4IKtlBTqhzfpxtgw qcEfN.fPFKO1TVMXHYO4fcf3LnOhVXPHOuJzyPAndGmiwxf3Ck2mpojIsuNXHAsLjEh0sUJHsUCA IRKkgf2TCwnqXDDuGMkuvwWHp1.vKpvknNSTPom4n6SYPQ2vJkU4KW2n.Y_nfeTr65Z2mQOUtyil AvOj7nBy3j2jF0rN2qGDWylBNEGuAdy8JrwD4qWXNZUWs1TCz75gRofZ3Tnh4IL0LUDcTJFZ72q6 mQ7VvnyQx72a6Zn6k2n4on2uUML2AOwYV3_dfcO5YvPPDnxuaBtwvyh9zEvdKRzROCFAIrz9JeS. IIXhOlPMTq6bTCQzfDp_ITnwarIoK0SGg1DBr0SSzO2n_4NUGv09IjdgKZKY9P0OlxBSwfgLa6hM ltnY42Qls0Doidle6ZmXj6x.L492Drgg7VBDLYkbHtyFvZm_vwTMnY.e3iMcMjncG2QKYrgnMTkn 0X41kOH8veKR2NEtsBFCxSC0mSmTJenwtb6nfTMHRH.tRBm4zrOfQFooFPuyRkFft3U7z8_7OOSB 46nIiDvMiVFs6TZFJv0IN.ehZIz3Fg.A5oT9UgA7Ph3nBxQYaVvtfhkiOau6hR_APAtAr0dTpeiJ Bw.vYcIM- X-Sonic-MF: X-Sonic-ID: e31d6c21-076d-4ef6-a73b-e246fcadbb5a Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.gq1.yahoo.com with HTTP; Mon, 8 May 2023 04:40:25 +0000 Received: by hermes--production-gq1-546798879c-sq6s2 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID c2434a9654bfe27c4a5d98eef7b218dd; Mon, 08 May 2023 04:40:23 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Subject: RE: Updating libxml2 in poudriere jail Message-Id: Date: Sun, 7 May 2023 21:40:13 -0700 To: simon.wright@gmx.net, FreeBSD Mailing List X-Mailer: Apple Mail (2.3731.400.51.1.1) References: X-Spamd-Result: default: False [-3.32 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.82)[-0.825]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[98.137.65.32:from]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[yahoo.com]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; DKIM_TRACE(0.00)[yahoo.com:+]; FREEMAIL_TO(0.00)[gmx.net,freebsd.org]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.65.32:from] X-Rspamd-Queue-Id: 4QF7rW5GhSz4N30 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Simon Wright wrote on Date: Mon, 08 May 2023 01:36:45 UTC : > I am using poudriere to build a small selection of posts with > non-default options. This is working fine, however for the daily > security run on the VM that runs poudriere, I am seeing this warning: > > ======================= > Checking for security vulnerabilities in base (userland & kernel): > Database fetched: Sun May 7 03:40:24 PST 2023 > 0 problem(s) in 0 installed package(s) found. > 0 problem(s) in 0 installed package(s) found. > portaudit for jails on vmserver04 - 2 problem(s) found. > > portaudit for jail: pkg.home.santos-wright.net (JID: 10) > > libxml2-2.10.3_2 (textproc/libxml2) is vulnerable: > libxml2 -- multiple vulnerabilities > CVE: CVE-2023-29469 > CVE: CVE-2023-28484 > WWW: > https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html > > 1 problem(s) found. > > portaudit for jail: pkg.home.santos-wright.net (JID: 8) > > libxml2-2.10.3_2 (textproc/libxml2) is vulnerable: > libxml2 -- multiple vulnerabilities > CVE: CVE-2023-29469 > CVE: CVE-2023-28484 > WWW: > https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html > > 1 problem(s) found. > > ====================== > > I have tried updating the jail which works but finds no updates since it > is already on the latest security release: > > [user /etc/periodic/daily]$ sudo poudriere jail -j FreeBSD:13:amd64 -u > [sudo] Enter user's password: > [00:00:00] Upgrading using ftp > Looking up update.FreeBSD.org mirrors... 2 mirrors found. > Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 13.2-RELEASE-p0. > 13.2-RELEASE > [00:00:10] Recording filesystem state for clean... done I'm confused. textproc/libxml2 is not part of any 13.2-RELEASE-p* and so would not be updated by an update to 13.2-RELEASE-p* . > ====================== > > I've tried manually starting the jail, installing pkg and updating > libxml2 which works but on restarting the jail, it has as expected > reverted to the vulnerable version of libxml2. It is important for poudriere operation that the jail(s) it uses not have packages pre-installed. That can interfere with poudriere building ports into packages and/or with installing them as needed. (Messing up detection of what is missing and, so, needs to be built or installed.) poudriere bulk should do all its own package installations for use in all builders as I understand things. > Can anyone point me in the right direction to eliminate the error > message on the daily security scan? Or can I remove this package from > the jail? If you have packages that look to be installed in jail(s) even when poudriere is not doing the likes of a bulk build (or related), then I suggest uninstalling such. Even if such is not a (full) fix of the overall issue, as far as I know, pre-installed packages are not a valid/general solution to anything for poudriere bulk operation. === Mark Millard marklmi at yahoo.com