Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
audit: fix a race in the file timestamp
Before that the code was setting the timestamp of the file on the http server to the compressed file but never to the uncompressed one but to decide if a new version should be fetched pkg gets the mtime from the uncompressed file. Reported by: dvl
- Loading branch information
2fe36a5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Patched
pkg
here, installed it on a problem host, ranpkg audit -F
,curl 8.4.0
is still vuln. Am I doing this right?2fe36a5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just checked locally once curl 8.4.0 is installed, curl is not a vuln anymore, so everything is fine
2fe36a5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree.
However, I have monitoring checks for
pkg audit
failures. There were still alerting. I cleared them out viarm /var/db/pkg/vuln.xml; pkg audit -F
- re https://dan.langille.org/2023/10/13/got-a-pkg-vuln-you-cant-get-rid-of/Thank you for fixing.