Got a pkg vuln you can’t get rid of?

I’ve been working on this for a while.

[23:18 r730-01 dvl ~] % pkg audit
curl-8.4.0 is vulnerable:
  curl -- SOCKS5 heap buffer overflow
  CVE: CVE-2023-38545

1 problem(s) in 1 installed package(s) found.
[23:18 r730-01 dvl ~] % 

The original vuxml entry got it wrong. This problem was fixed in 8.4.0

A subsequent commit fixed that.

So why am I still having this problem 48 hours later?


This Mastodon thread covers it all.

This commit should avoid the problem in the future.

In the meantime, how do I fix it? Like this:

[23:18 r730-01 dvl ~] % sudo rm /var/db/pkg/vuln.xml
[23:23 r730-01 dvl ~] % sudo pkg audit -F
Fetching vuln.xml.xz: 100% 1 MiB 1.1MB/s 00:01
0 problem(s) in 0 installed package(s) found.
[23:23 r730-01 dvl ~] %


Here is the ansible playbook I used for the fix. To be complete, I should have also ran pkg upgrade -y curl

- hosts: all

  - name: rm /var/db/pkg/vuln.xml
    command: "rm /var/db/pkg/vuln.xml"

  - name: pkg audit -F
    command: "pkg audit -F"
Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top