From owner-freebsd-ruby@FreeBSD.ORG  Sun Jun 21 14:54:41 2015
Return-Path: <owner-freebsd-ruby@FreeBSD.ORG>
Delivered-To: ruby@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8453B4AA;
 Sun, 21 Jun 2015 14:54:41 +0000 (UTC) (envelope-from swills@mouf.net)
Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "mouf.net", Issuer "mouf.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 402F7786;
 Sun, 21 Jun 2015 14:54:41 +0000 (UTC) (envelope-from swills@mouf.net)
Received: from mouf.net (swills@mouf [199.48.129.64])
 by mouf.net (8.14.9/8.14.9) with ESMTP id t5LEsUSf049048
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Sun, 21 Jun 2015 14:54:35 GMT (envelope-from swills@mouf.net)
Received: (from swills@localhost)
 by mouf.net (8.14.9/8.14.9/Submit) id t5LEsUfl049047;
 Sun, 21 Jun 2015 14:54:30 GMT (envelope-from swills)
Date: Sun, 21 Jun 2015 14:54:30 +0000
From: Steve Wills <swills@FreeBSD.org>
To: =?utf-8?B?SW5nLiBCxZlldGlzbGF2?= Kubesa <bretislav.kubesa@gmail.com>
Cc: ruby@FreeBSD.org, ports@FreeBSD.org
Subject: Re: FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while
 it isn't ?
Message-ID: <20150621145426.GA39135@mouf.net>
References: <55865D15.5010608@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn"
Content-Disposition: inline
In-Reply-To: <55865D15.5010608@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (mouf.net [199.48.129.64]); Sun, 21 Jun 2015 14:54:36 +0000 (UTC)
X-Spam-Status: No, score=0.0 required=4.5 tests=HEADER_FROM_DIFFERENT_DOMAINS
 autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mouf.net
X-Virus-Scanned: clamav-milter 0.98.7 at mouf.net
X-Virus-Status: Clean
X-BeenThere: freebsd-ruby@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FreeBSD-specific Ruby discussions <freebsd-ruby.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ruby/>
List-Post: <mailto:freebsd-ruby@freebsd.org>
List-Help: <mailto:freebsd-ruby-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2015 14:54:41 -0000


--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

Did you build your own ports where ruby 2.0 was default? I see the package =
name
here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml look
like this:

 3326         <name>ruby20</name>
 3327         <range><lt>2.0.0.645,1</lt></range>

=2E..

 3330         <name>ruby</name>
 3331         <range><lt>2.1.6,1</lt></range>

So I think maybe it's matching the second entry and then looking for a ruby
version 2.1.6,1 or newer. Not sure what the right solution is for this right
now.

Steve


On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. B=C5=99etislav Kubesa wrote:
> Hi,
>=20
> already for longer time while updating to 2.0.0.645,1 version, I'm=20
> getting message that it's vulnerable, but I think it's not the case as=20
> vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <=3D 2.0.0.645,1=
).
> However I'm not sure where to report it for checking, so I hope it's the=
=20
> right place here.
>=20
> Thank you.
>=20
>=20
> --->  Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20)
> --->  Building '/usr/ports/lang/ruby20'
> =3D=3D=3D>  Cleaning for ruby-2.0.0.645,1
> =3D=3D=3D>  ruby-2.0.0.645,1 has known vulnerabilities:
> ruby-2.0.0.645,1 is vulnerable:
> Ruby -- OpenSSL Hostname Verification Vulnerability
> CVE: CVE-2015-1855
> WWW:=20
> http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html
>=20
> Best regards,
> Bretislav Kubesa
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"

--x+6KMIRAuhnl3hBn
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQF8BAEBCgBmBQJVhtAgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OEZBNDE0QTVDMkEwRUY5Q0ZEMEFEMERG
NUNGNjJCMzIwN0IxQkExAAoJEPXPYrMgexuhAQAIAI+kAjiSB5fdUbQeDArE2fql
rJK/sZeiintfhBUudi1RT3NrW3BI5DnIKcN+PnG0NFOsLa+cZOSi6Tvy6/0kMs/l
+HDNCzrkH3343b6/sUFbqBQLiIZhS+TmsMTkaXgFZF1MudBQUpkuMVGCzOlkOWq/
nisNMQQCx2BeYvaK27bik9pyeVXQcx7hZA5PmCL2WXVJj8KS3hYNkaOcjJYhbpqi
vrSP+RUyaXnZAJ47yW3ZBC9XmRzj8SoccVAQqdZiakeJwJV4TWtSL7O1DodLvgu1
sc+JIymT3J38X5VMn1nkk63drWTOKmA8SsUfB3ioDQwCKM1r8aQcYXxqDwUqQhw=
=6XzQ
-----END PGP SIGNATURE-----

--x+6KMIRAuhnl3hBn--