1. 概要
2023年6月23日のこと。
$ pkg version -vl "<"
py39-setuptools-63.1.0 < needs updating (index has 63.1.0_1)
となっていました。
2. 状況
まぁ、いつものことなので、アップグレードしようとします、
portupgrade -rR py39-setuptools
すると
[Reading data from pkg(8) ... - 587 packages found - done]
[Gathering depends for devel/py-setuptools ......................... done]
・・・ 略 ・・・
for textproc/py-sphinxcontrib-applehelp .. done]
[Exclude up-to-date packages ................................................................................................... done]
---> Upgrading 'py39-setuptools-63.1.0' to 'py39-setuptools-63.1.0_1' (devel/py-setuptools)
---> Building '/usr/ports/devel/py-setuptools'
===> Cleaning for py39-setuptools-63.1.0_1
===> Cleaning for py38-setuptools-63.1.0_1
===> Cleaning for py37-setuptools-63.1.0_1
===> Cleaning for py310-setuptools-63.1.0_1
===> Cleaning for py311-setuptools-63.1.0_1
===> py39-setuptools-63.1.0_1 has known vulnerabilities:
py39-setuptools-63.1.0_1 is vulnerable:
py39-setuptools -- denial of service vulnerability
CVE: CVE-2022-40897
WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html
1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make: stopped in /usr/ports/devel/py-setuptools
egrep: empty (sub)expression
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20230623-88697-dfooyc env UPGRADE_TOOL=portupgrade UPGRADE_PORT=py39-setuptools-63.1.0 UPGRADE_PORT_VER=63.1.0 make
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
! devel/py-setuptools (py39-setuptools-63.1.0) (security vulnerabilities)
正直にいうと、なんやようわからんのであります。
3. 試行錯誤
よくある、競合かなと思って。
cd /usr/ports/devel/py-setuptools
make deinstall clean
make
すると
===> py39-setuptools-63.1.0_1 has known vulnerabilities:
py39-setuptools-63.1.0_1 is vulnerable:
py39-setuptools -- denial of service vulnerability
CVE: CVE-2022-40897
WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html
1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make: stopped in /usr/ports/devel/py-setuptools
げげ、悪化。
インストールすら、できないではないか。
4. 一時しのぎ
とりあえず、「ports」の方は、次のバージョンを待つとして、「pkg」で一時しのぎします。
$ pkg install py39-setuptools
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):
Installed packages to be REMOVED:
mono: 5.10.1.57_4
New packages to be INSTALLED:
perl5.34: 5.34.1_2
py39-setuptools: 63.1.0
Installed packages to be DOWNGRADED:
perl5: 5.34.1_2 -> 5.32.1_3
Installed packages to be REINSTALLED:
http-parser-2.9.4
Number of packages to be removed: 1
Number of packages to be installed: 2
Number of packages to be reinstalled: 1
Number of packages to be downgraded: 1
The operation will free 172 MiB.
1 MiB to be downloaded.
Proceed with this action? [y/N]:
あぁ、また、「perl」がダウングレードしちゃうんだな。
仕方ないので、y で進めます。
[1/2] Fetching py39-setuptools-63.1.0.pkg: 100% 1 MiB 1.1MB/s 00:01
[2/2] Fetching http-parser-2.9.4.pkg: 100% 18 KiB 18.6kB/s 00:01
Checking integrity... done (1 conflicting)
- perl5.34-5.34.1_2 conflicts with perl5-5.34.1_2 on /usr/local/bin/perl5.34.1
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 6 package(s) will be affected (of 0 checked):
Installed packages to be REMOVED:
mono: 5.10.1.57_4
New packages to be INSTALLED:
perl5.34: 5.34.1_2
py39-setuptools: 63.1.0
Installed packages to be REINSTALLED:
http-parser-2.9.4
Number of packages to be removed: 1
Number of packages to be installed: 2
Number of packages to be reinstalled: 1
The operation will free 171 MiB.
Proceed with this action? [y/N]:
あれ?結局、「perl」は、元に戻るんかいな。
y。
実際んとこ、「perl」は元に戻らなかったので。
上記が終わった後で。
portupgrade -rRf perl5.34
5. 唐突に解決
2023年6月27日、唐突に解決しました。
う~ん、「pkg」がアップグレードされていたがなぁ。
「pkg」アップグレード後に、
portupgrade -rR py39-setuptools
が、とおっちゃいました。
ただし、アップグレードと言われていない、「rust」や「cargo」の更新が、一連の「portupgrade」の中で動いたので、ほぼ丸一日、かかりましたが。