Hi team,
i found something on my arch system today and wanted to share it with you, maybe it helps. Sorry in advance if my english is not perfect, i have strong dyslexia so please bare with me :O
This morning i ran arch-audit on my fully updated system and it showed me 4 High and 13 Medium and 1 Low risk findings. That looked scary so i started checking each one by hand. What i found is that all 22 of them are actually fine already — the package i have installed is newer than the "affected" version in the tracker, sometimes by alot.
For example:
- pam: tracker says affected
1.7.0-2, i have 1.7.2-2.1 (and CVE-2025-6020 was fixed upstream in 1.7.1)
- openssl: tracker says affected
1.1.1.o-1, i have 3.6.1-1.1 xD
- grub: tracker says affected
2:2.06-5, i have 2:2.14-1.1
- perl: tracker says affected
5.34.0-3, i have 5.42.1-1.1
Here is the full list i checked today (2026-04-07), all on a current arch with pacman -Syu done:
| AVG |
Package |
Severity |
Affected ≤ |
Installed |
| AVG-2907 |
djvulibre |
High |
3.5.28-6 |
3.5.29-2.1 |
| AVG-2901 |
pam |
High |
1.7.0-2 |
1.7.2-2.1 |
| AVG-2898 |
libxml2 |
High |
2.14.4-1 |
2.15.2-1.1 |
| AVG-2762 |
grub |
High |
2:2.06-5 |
2:2.14-1.1 |
| AVG-2893 |
systemd |
Medium |
257.6-1 |
260.1-1 |
| AVG-2885 |
coreutils |
Medium |
9.7-1 |
9.10-1.1 |
| AVG-2850 |
openjpeg2 |
Medium |
2.5.0-3 |
2.5.4-1.1 |
| AVG-2765 |
openssl |
Medium |
1.1.1.o-1 |
3.6.1-1.1 |
| AVG-2842 |
libtiff |
Unknown |
4.4.0-1 |
4.7.1-1.1 |
| AVG-2721 |
libtiff |
Medium |
4.3.0-2 |
4.7.1-1.1 |
| AVG-2663 |
python-twisted |
Medium |
21.7.0-4 |
24.11.0-1 |
| AVG-2630 |
perl |
Medium |
5.34.0-3 |
5.42.1-1.1 |
| AVG-2520 |
libheif |
Medium |
1.12.0-2 |
1.21.2-2.1 |
| AVG-2367 |
openvpn |
Medium |
2.5.5-1 |
2.7.1-1.1 |
| AVG-2264 |
perl |
Medium |
5.34.0-3 |
5.42.1-1.1 |
| AVG-1892 |
wget |
Medium |
1.21.3-1 |
1.25.0-3.1 |
| AVG-1855 |
giflib |
Medium |
5.2.1-2 |
6.1.2-1.1 |
| AVG-1420 |
xdg-utils |
Medium |
1.1.3+19+g9816ebb-1 |
1.2.1-2 |
| AVG-1354 |
xerces-c |
Medium |
3.2.3-5 |
3.3.0-4.1 |
| AVG-2890 |
perl |
Low |
5.40.2-1 |
5.42.1-1.1 |
| AVG-2882 |
openssl |
Low |
3.5.0-1 |
3.6.1-1.1 |
| AVG-2089 |
python-mpmath |
Low |
1.2.1-5 |
1.4.1-1 |
I checked this by getting the json from https://security.archlinux.org/{AVG}.json for every entry and comparing the affected field with pacman -Q using vercmp. I am not saying every single one is 100% safe — maybe a regression slipped in somewhere. But for most of them the version gap is just to big to still be the same problem.
The thing that bothers me is, if i (a normal user) see 22 vulnerabilitys and they are all stale, then i start to ignore the warnings — and one day there will be a real one in there and i will miss it. Thats not good for anyone. I also noticed i am not the only one who had this problem, there are tools like taps and avg-audit and others that all do the same little trick (comparing installed version to affected) just to filter the noise. It feels like everyone is solving the same thing on there own side instead of fixing it once in the tracker.
I did some reading before writing this and i saw that you already know about it kind of:
So i think the code is mostly there, it just needs someone to go thru the list every now and then. I dont know how your team works internaly but maybe one of these could help:
- If a package version is bigger than
affected for like 30 or 60 days and nobody complained, mark it automaticly as "likely fixed (please verify)" so it doesnt show up as vulnerable anymore by default
- Add a "likely fixed" field to the public json so tools like arch-audit can hide them
- Make the existing version-bump todo list more visible somewhere, maybe on the front page so its easier to remember
Im not a python or flask person so i cant write the code myself, but if you want i can give you more data from my system or test patches, just let me know.
Thanks alot for keeping the tracker running, i know you all do this in your free time and arch would not be the same without it. Please dont take this as complaining, i really just want to help. If this is a duplicate of something i missed, feel free to close it.
Best regards
kuppit
Hi team,
i found something on my arch system today and wanted to share it with you, maybe it helps. Sorry in advance if my english is not perfect, i have strong dyslexia so please bare with me :O
This morning i ran
arch-auditon my fully updated system and it showed me 4 High and 13 Medium and 1 Low risk findings. That looked scary so i started checking each one by hand. What i found is that all 22 of them are actually fine already — the package i have installed is newer than the "affected" version in the tracker, sometimes by alot.For example:
1.7.0-2, i have1.7.2-2.1(and CVE-2025-6020 was fixed upstream in 1.7.1)1.1.1.o-1, i have3.6.1-1.1xD2:2.06-5, i have2:2.14-1.15.34.0-3, i have5.42.1-1.1Here is the full list i checked today (2026-04-07), all on a current arch with
pacman -Syudone:I checked this by getting the json from
https://security.archlinux.org/{AVG}.jsonfor every entry and comparing theaffectedfield withpacman -Qusingvercmp. I am not saying every single one is 100% safe — maybe a regression slipped in somewhere. But for most of them the version gap is just to big to still be the same problem.The thing that bothers me is, if i (a normal user) see 22 vulnerabilitys and they are all stale, then i start to ignore the warnings — and one day there will be a real one in there and i will miss it. Thats not good for anyone. I also noticed i am not the only one who had this problem, there are tools like
tapsandavg-auditand others that all do the same little trick (comparing installed version to affected) just to filter the noise. It feels like everyone is solving the same thing on there own side instead of fixing it once in the tracker.I did some reading before writing this and i saw that you already know about it kind of:
So i think the code is mostly there, it just needs someone to go thru the list every now and then. I dont know how your team works internaly but maybe one of these could help:
affectedfor like 30 or 60 days and nobody complained, mark it automaticly as "likely fixed (please verify)" so it doesnt show up as vulnerable anymore by defaultIm not a python or flask person so i cant write the code myself, but if you want i can give you more data from my system or test patches, just let me know.
Thanks alot for keeping the tracker running, i know you all do this in your free time and arch would not be the same without it. Please dont take this as complaining, i really just want to help. If this is a duplicate of something i missed, feel free to close it.
Best regards
kuppit