1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.MIS

  • daily security run output security vulnerabilities in base

    From Marco Moock@21:1/5 to All on Sun Jun 1 08:11:13 2025
    Hello!

    I got the following message by mail:

    Checking for packages with security vulnerabilities:
    Database fetched: 2025-05-30T04:45+02:00
    python311-3.11.11

    I can confirm that this is installed:

    [m@teufel ~]$ pkg version |grep python
    python311-3.11.11 =
    [m@teufel ~]$

    Although, I see no way to update that.

    [m@teufel ~]$ sudo pkg upgrade
    Updating FreeBSD repository catalogue...
    FreeBSD repository is up to date.
    All repositories are up to date.
    Checking for upgrades (5 candidates): 100%
    Processing candidates (5 candidates): 100%
    Checking integrity... done (0 conflicting)
    Your packages are up to date.
    [m@teufel ~]$

    Is there anything wrong on my system or why can't I update?

    --
    kind regards
    Marco

    Send spam to 1748757265muell@stinkedores.dorfdsl.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to Marco Moock on Sun Jun 1 09:01:53 2025
    Marco Moock <mm@dorfdsl.de> writes:
    Checking for packages with security vulnerabilities:
    Database fetched: 2025-05-30T04:45+02:00
    python311-3.11.11

    Yep.

    I can confirm that this is installed:

    [m@teufel ~]$ pkg version |grep python
    python311-3.11.11 =
    [m@teufel ~]$

    I prefer "pkg query %v python311", but the result is the same.

    Although, I see no way to update that.

    I, too, used to think this was strange, but that's how it works: They
    don't wait until a fix is available via pkg to alert you to the
    vulnerability. (I'm not sure, but maybe the fix *is* released via
    ports at that time, but takes longer to appear via pkg.)

    "pkg audit" gives you URLs to pages for each bug, so you can decide how
    serious they are. Those pages also tell you what version you need in
    order to have the fix included. That's important, because often there's
    a version in the pkg repository that's more recent that the one you have,
    but not late enough to include the fix, so you'd be able to upgrade, but
    the upgraded version would still have the bug, so maybe it's not worth upgrading yet.

    Worst case, you can disable the service until the fixed version is
    available.

    Is there anything wrong on my system or why can't I update?

    ... because the fix for that particular package isn't available via pkg
    yet.

    When "pkg rquery %v python311" says python311-3.11.11_1 or higher (in
    this particular case), upgrading will fix the problem.
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to I incorrectly on Sun Jun 1 09:06:41 2025
    A moment ago, I incorrectly said:
    When "pkg rquery %v python311" says python311-3.11.11_1 or higher (in
    this particular case), upgrading will fix the problem.

    Oops, sorry: "python311-3.11.12_1 or higher".
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John D Groenveld@21:1/5 to Marco Moock on Sun Jun 1 19:52:18 2025
    In article <20250601081113.4f2543fd@ryz.dorfdsl.de>,
    Marco Moock <mm@dorfdsl.de> wrote:
    I got the following message by mail:

    Checking for packages with security vulnerabilities:
    Database fetched: 2025-05-30T04:45+02:00
    python311-3.11.11

    I can confirm that this is installed:

    [m@teufel ~]$ pkg version |grep python
    python311-3.11.11

    <URL:https://www.python.org/downloads/release/python-31112/>

    Although, I see no way to update that.

    [m@teufel ~]$ sudo pkg upgrade
    Updating FreeBSD repository catalogue...
    FreeBSD repository is up to date.
    All repositories are up to date.
    Checking for upgrades (5 candidates): 100%
    Processing candidates (5 candidates): 100%
    Checking integrity... done (0 conflicting)
    Your packages are up to date.
    [m@teufel ~]$

    Is there anything wrong on my system or why can't I update?

    <URL:https://cgit.freebsd.org/ports/commit/?h=2025Q2&id=7a1a2f8f2e3d6a41ebd7120f14c31e6a2dfba809>

    $ pkg rquery '%v' python311
    3.11.12

    John
    groenveld@acm.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jun 2 08:50:37 2025
    On 01.06.2025 19:52 Uhr John D Groenveld wrote:

    $ pkg rquery '%v' python311
    3.11.12

    [m@teufel ~]$ pkg rquery '%v' python311
    3.11.11
    [m@teufel ~]$

    I also tried pkg update, still the old version.

    [m@teufel ~]$ grep -v ^# /etc/pkg/FreeBSD.conf

    FreeBSD: {
    url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/share/keys/pkg",
    enabled: yes
    }
    [m@teufel ~]$

    --
    kind regards
    Marco

    Send spam to 1748800338muell@stinkedores.dorfdsl.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to Marco Moock on Mon Jun 2 08:05:59 2025
    Marco Moock <mm@dorfdsl.de> writes:
    [m@teufel ~]$ grep -v ^# /etc/pkg/FreeBSD.conf

    FreeBSD: {
    url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/share/keys/pkg",
    enabled: yes
    }

    /usr/local/etc/pkg/repos/FreeBSD.conf supercedes that and
    may have url: ending with /latest instead of /quarterly.
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to All on Mon Jun 2 07:57:53 2025
    I see that python311-3.11.12_1 is available via pkg this morning.
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John D Groenveld@21:1/5 to Marco Moock on Mon Jun 2 12:33:39 2025
    In article <20250602085037.3e5d6c36@ryz.dorfdsl.de>,
    Marco Moock <mm@dorfdsl.de> wrote:
    [m@teufel ~]$ pkg rquery '%v' python311
    3.11.11
    [m@teufel ~]$

    I also tried pkg update, still the old version.

    [m@teufel ~]$ grep -v ^# /etc/pkg/FreeBSD.conf

    FreeBSD: {
    url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/share/keys/pkg",
    enabled: yes
    }

    My WAG is that latest quarterly were built before the 3.11.12 was committed into the quarterly branch: <URL:https://cgit.freebsd.org/ports/commit/?h=2025Q2&id=7a1a2f8f2e3d6a41ebd7120f14c31e6a2dfba809>
    <URL:https://pkg-status.freebsd.org/>

    Potential work-arounds are to switch to latest ports branch or build the lang/python311 package from the ports tree.
    John
    groenveld@acm.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jun 2 14:50:43 2025
    On 02.06.2025 08:05 Uhr Winston wrote:

    /usr/local/etc/pkg/repos/FreeBSD.conf supercedes that and
    may have url: ending with /latest instead of /quarterly.

    I don't have that file.

    --
    kind regards
    Marco

    Send spam to 1748844359muell@stinkedores.dorfdsl.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John D Groenveld@21:1/5 to mm@dorfdsl.de on Mon Jun 2 13:58:26 2025
    In article <20250602145043.0ed33044@ryz.dorfdsl.de>,
    Marco Moock <mm@dorfdsl.de> wrote:
    /usr/local/etc/pkg/repos/FreeBSD.conf supercedes that and
    may have url: ending with /latest instead of /quarterly.

    I don't have that file.

    <URL:https://man.freebsd.org/cgi/man.cgi?query=pkg&apropos=0&sektion=0&manpath=FreeBSD+14.2-RELEASE+and+Ports&arch=default&format=html>
    Configuration varies in whether it is in a repository configuration
    file or the global configuration file. The default repository configu-
    ration for FreeBSD is stored in /etc/pkg/FreeBSD.conf, and additional
    repository configuration files will be searched for in REPOS_DIR, or
    /usr/local/etc/pkg/repos if it is unset.

    John
    groenveld@acm.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Thu Jun 5 17:12:40 2025
    On 02.06.2025 12:33 Uhr John D Groenveld wrote:

    My WAG is that latest quarterly were built before the 3.11.12 was
    committed into the quarterly branch: <URL:https://cgit.freebsd.org/ports/commit/?h=2025Q2&id=7a1a2f8f2e3d6a41ebd7120f14c31e6a2dfba809>
    <URL:https://pkg-status.freebsd.org/>

    Potential work-arounds are to switch to latest ports branch or build
    the lang/python311 package from the ports tree.

    What is the recommended way to handle that?

    I want a stable system with security updates, fast releases are fine.

    --
    kind regards
    Marco

    Send spam to 1748860419muell@stinkedores.dorfdsl.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Fri Jun 6 10:35:39 2025
    On 02.06.2025 08:50 Marco Moock wrote:

    [m@teufel ~]$ pkg rquery '%v' python311
    3.11.11
    [m@teufel ~]$

    I also tried pkg update, still the old version.

    Today this changed and I was able to update to the current version
    without modifying any config on my system.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)