Channels
#fleet
Title
# fleet
m
Mystery Incorporated
09/04/2021, 6:57 PMHeya is it meant to not remove the old vulnerable entry when I update????
t
Tomas Touceda
09/06/2021, 5:52 PMcould it be that both versions are still available?
m
Mystery Incorporated
09/07/2021, 3:12 PMNot at all, just v3.4.8 is installed which is not even showing in that list at all, but when I list python packaes it is there I will show you the list of python packages. Also it is doing it with httplib2
Here is output of installed packages from pip (I updated to 3.3 and then 3.4.8 those days ago and still it doesn't say 3.4.8 is installed and lists the two vulnerable versions that are not)
At least it shows the current version of httplib2 as well
This is the dir that the packages get installed to.
On a completely different host, it sees the 3.4.8 version but still lists the non existant 2.8 vulnerable version
t
Tomas Touceda
09/07/2021, 4:32 PMgotcha, could you please file a bug report https://github.com/fleetdm/fleet/issues/new?assignees=&labels=bug%2C%3Areproduce&template=bug-report.md&title= ? I'll look into it
could you tell me what the result of this osquery query is:
Copy code
SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packagesm
Mystery Incorporated
09/09/2021, 4:03 PMI'll check now
@Tomas Touceda the output of that command shows only the old, no longer installed version of the python package.
t
Tomas Touceda
09/09/2021, 4:09 PMah you uninstalled that version and only have the newer one? that's odd, wonder why osquery is returning that still
m
Mystery Incorporated
09/09/2021, 4:12 PMOn a second host, it doesn't show even the old httplib2, it shows none at all! And still shows the old cryptography 2.8
And it is definitely installed (pip list)
t
Tomas Touceda
09/09/2021, 4:17 PMmight be something interesting to ask in #general