Hi! > pkg audit complains that > > py37-aiohttp-3.7.4.p0 (www/py-aiohttp) is vulnerable: > > aiohttp -- open redirect vulnerability > > CVE: CVE-2021-21330 > > WWW: > > https://vuxml.FreeBSD.org/freebsd/3000acee-c45d-11eb-904f-14dae9d5a9d2.html > > > > 1 problem(s) found. > > However, AFAICT following the link, this CVE was fixed in 3.7.4. > Is this version vulnerable or not? > > Reading https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256219, IIUIC, > looks like answer is no. > Is then something wrong with my audit database?
>From reading the ticket it's probably a problem of the PORTVERSION -- there's some ordering assumption, which causes 3.7.4 to be newer than 3.7.4.post0. -- p...@opsec.eu +49 171 3101372 Now what ?
