# Is python27 updated?



## FKEinternet (May 10, 2018)

On May 7, I got a notification in my server's daily security run output that python27 was determined to be vulnerable:

```
Checking for packages with security vulnerabilities:
python27-2.7.14_1

Checking for a current audit database:

Database created: Sun May  6 02:13:00 EDT 2018

Checking for packages with security vulnerabilities:


Checking for packages with mismatched checksums:
ghc-8.0.2_3: /usr/local/bin/haddock
...
```
I tried to update python27:

```
# pkg info python27
python27-2.7.14_1
Name           : python27
Version        : 2.7.14_1
Installed on   : Wed Mar  7 06:32:09 2018 EST
Origin         : lang/python27
Architecture   : FreeBSD:11:amd64
Prefix         : /usr/local
Categories     : python lang ipv6
Licenses       : PSFL
Maintainer     : python@FreeBSD.org
WWW            : https://www.python.org/
Comment        : Interpreted object-oriented programming language
Options        :
        DEBUG          : off
        IPV6           : on
        LIBFFI         : on
        NLS            : on
        PYMALLOC       : on
        THREADS        : on
        UCS2           : off
        UCS4           : on
Shared Libs required:
        libreadline.so.7
        libintl.so.8
        libffi.so.6
Shared Libs provided:
        libpython2.7.so.1
Annotations    :
        cpe            : cpe:2.3:a:python:python:2.7.14:::::freebsd11:x64:1
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 67.7MiB
Description    :
Python is an interpreted object-oriented programming language, and is
often compared to Tcl, Perl or Scheme.

WWW: https://www.python.org/

# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB   6.5MB/s    00:01
Processing entries: 100%
FreeBSD repository update completed. 31727 packages processed.
All repositories are up to date.

# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed

# pkg audit
python27-2.7.14_1 is vulnerable:
python 2.7 -- multiple vulnerabilities
CVE: CVE-2018-1061
CVE: CVE-2018-1060
CVE: CVE-2017-9233
CVE: CVE-2016-9063
CVE: CVE-2016-4472
CVE: CVE-2016-0718
CVE: CVE-2012-0876
WWW: https://vuxml.FreeBSD.org/freebsd/8719b935-8bae-41ad-92ba-3c826f651219.html

1 problem(s) in the installed packages found.

# pkg update --force
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB   6.5MB/s    00:01
Processing entries: 100%
FreeBSD repository update completed. 31727 packages processed.
All repositories are up to date.

# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
```
I checked at the VuXML link, and it basically says the same thing as the audit output, except that the URLs in the References section point to github.

Thinking the repository might not be up to date, and being busy with other things, I set the issue aside for later.  I repeated the upgrade attempt on May 8 and 9, and got the same result.

Today my security run output had another vulnerability:

```
Checking for packages with security vulnerabilities:
python27-2.7.14_1
wget-1.19.4_2

Checking for a current audit database:

Downloading fresh database.
auditfile.tbz                                            0  B    0  Bps
New database installed.
Database created: Thu May 10 03:13:00 EDT 2018

Checking for packages with security vulnerabilities:


Checking for packages with mismatched checksums:
ghc-8.0.2_3: /usr/local/bin/haddock
...
```
Again I attempted an upgrade, without success:

```
# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB   6.5MB/s    00:01
Processing entries: 100%
FreeBSD repository update completed. 31828 packages processed.
All repositories are up to date.

# pkg install python27
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed

# pkg install wget
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed

# pkg audit
python27-2.7.14_1 is vulnerable:
python 2.7 -- multiple vulnerabilities
CVE: CVE-2018-1061
CVE: CVE-2018-1060
CVE: CVE-2017-9233
CVE: CVE-2016-9063
CVE: CVE-2016-4472
CVE: CVE-2016-0718
CVE: CVE-2012-0876
WWW: https://vuxml.FreeBSD.org/freebsd/8719b935-8bae-41ad-92ba-3c826f651219.html

wget-1.19.4_2 is vulnerable:
wget -- cookie injection vulnerability
CVE: CVE-2018-0494
WWW: https://vuxml.FreeBSD.org/freebsd/7b5a8e3b-52cc-11e8-8c7a-9c5c8e75236a.html

2 problem(s) in the installed packages found.
```

I have a /usr/local/etc/pkg/repos/FreeBSD.conf that contains

```
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  enabled: yes
}
```
so I would expect the latest versions in the repositories to be used for my updates.  Am I doing something wrong, or have the repositories not been updated?


----------



## PMc (May 10, 2018)

Well, I woudl say, on the web the portstree SVN currently shows python.2.7.14. 
While from the CVE it says the flaw is fixed in 2.7.15
So, it seems the repo has not yet been updated.


----------



## _martin (May 10, 2018)

Indeed, we need to wait for a maintainer to update it. What I was little bit confused about is that current FreeBSD version also includes CVEs as old as 2012.


----------



## talsamon (May 11, 2018)

Is fixed https://svnweb.freebsd.org/ports?view=revision&revision=469635. The package needs always a few days longer.


----------

