Solved Package found vulnerable in a jail, but not on the host

quamenzullo · Apr 30, 2022

Hi! How is it possible to have the same package, same version, same OS to be found vulnerable in a jail but not on the host?

Inside a fresh pkg upgraded jail:

Code:

root@web1:~ # pkg audit
curl-7.82.0_1 is vulnerable:
  cURL -- Multiple vulnerabilities
...
1 problem(s) in 1 installed package(s) found.
root@web1:~ # exit
logout

Now from the host (also upgraded):

Code:

root@host3:/home/user # pkg audit
0 problem(s) in 0 installed package(s) found.
root@host3:/home/user # pkg show curl
curl-7.82.0_1
Name           : curl
Version        : 7.82.0_1
Installed on   : ...

How is that possible?

monwarez · Apr 30, 2022

Maybe one has the pkg audit database updated ?

quamenzullo · Apr 30, 2022

Alright, it's necessary to update the vulnerabilities information using -F:

Code:

root@host3:/home/user # pkg audit -F
Fetching vuln.xml.xz: 100%  945 KiB 968.0kB/s    00:01    
curl-7.82.0_1 is vulnerable:
  cURL -- Multiple vulnerabilities
  ...

1 problem(s) in 1 installed package(s) found.

eternal_noob · Apr 30, 2022

quamenzullo said:
it's necessary to update the vulnerabilities information using -F:

I consider this a bug.

tux2bsd · Apr 30, 2022

eternal_noob said:
I consider this a bug.

It should at least state there is a new vuln list or remind you to update (and suggest how).

Update mechanisms should not be neglected, it's something that annoys me.

Solved Package found vulnerable in a jail, but not on the host

quamenzullo

monwarez

quamenzullo

eternal_noob

tux2bsd