audit error after update to 17.1.2

[Julien]

Dear all,
after updating to the version 17.1.2, we run a audit got this error see below.

Code: [Select]

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.52.1_1 is vulnerable:
cURL -- ocsp status validation error
CVE: CVE-2017-2629
WWW: https://vuxml.FreeBSD.org/freebsd/311e4b1c-f8ee-11e6-9940-b499baebfeaf.html

1 problem(s) in the installed packages found.
***DONE***
are we supposed to do something to fix this ?

thank you

[netranger]

looks like it's normal that this thing is vulnerable 

https://curl.haxx.se/docs/vulnerabilities.html

not sure if there is a way or need to update this thing manually or if we should just wait for the next patch.

[franco]

The same audit report would have happened on 17.1.1 or 17.1 since it checks against the external FreeBSD ports/packages vulnerability database.

It helps with vulnerability management, raises awareness for likely issues for missing firmware updates.

But note that we do not always steer firmware upgrades because an audit report pops up, that's impossible for syncing up 150 packages installed, especially because the release procedure takes 2 days to complete for us.


Cheers,
Franco