I’ve been working on this for a while.
[23:18 r730-01 dvl ~] % pkg audit curl-8.4.0 is vulnerable: curl -- SOCKS5 heap buffer overflow CVE: CVE-2023-38545 WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html 1 problem(s) in 1 installed package(s) found. [23:18 r730-01 dvl ~] %
The original vuxml entry got it wrong. This problem was fixed in 8.4.0
A subsequent commit fixed that.
So why am I still having this problem 48 hours later?
mtime.
This Mastodon thread covers it all.
This commit should avoid the problem in the future.
In the meantime, how do I fix it? Like this:
[23:18 r730-01 dvl ~] % sudo rm /var/db/pkg/vuln.xml
[23:23 r730-01 dvl ~] % sudo pkg audit -F
Fetching vuln.xml.xz: 100% 1 MiB 1.1MB/s 00:01
0 problem(s) in 0 installed package(s) found.
[23:23 r730-01 dvl ~] %
Ansible
Here is the ansible playbook I used for the fix. To be complete, I should have also ran pkg upgrade -y curl
---
- hosts: all
tasks:
- name: rm /var/db/pkg/vuln.xml
command: "rm /var/db/pkg/vuln.xml"
- name: pkg audit -F
command: "pkg audit -F"
