From owner-freebsd-bugs@FreeBSD.ORG Sun Sep 17 17:43:12 2006 Return-Path: X-Original-To: freebsd-bugs@freebsd.org Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32DB616A412; Sun, 17 Sep 2006 17:43:12 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ECB143D5A; Sun, 17 Sep 2006 17:43:10 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 5D8E9386C05; Sun, 17 Sep 2006 17:43:08 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 165F011437; Sun, 17 Sep 2006 19:43:08 +0200 (CEST) Date: Sun, 17 Sep 2006 19:43:07 +0200 From: "Simon L. Nielsen" To: Vadim Goncharov Message-ID: <20060917174306.GA33937@zaphod.nitro.dk> References: <200609161726.k8GHQrRW013690@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: Greg Lewis , freebsd-bugs@freebsd.org, bug-followup@freebsd.org, freebsd-java@freebsd.org Subject: Re: ports/103313: portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2006 17:43:12 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.09.17 01:45:10 +0700, Vadim Goncharov wrote: > 17.09.06 @ 00:26 Greg Lewis wrote: >=20 > >Synopsis: portaudit reports bogus java/diablo-jdk15 vulnerabity due to = =20 > >incorrect pkg naming > > > >State-Changed-From-To: open->closed > >State-Changed-By: glewis > >State-Changed-When: Sat Sep 16 17:26:05 UTC 2006 > >State-Changed-Why: > >This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131). > > > >http://www.freebsd.org/cgi/query-pr.cgi?pr=3D103313 >=20 > That's VERY BAD method of fixing things. Package names should be changed,= =20 No it's not. While it sucks we have to add such workarounds to the VuXML document there really isn't any other way to do it, and it isn't the first time we have to do it. The package with the bad name it out there and being flagged as vulnerable when it isn't. Yes, the package name should be fixed, but that doesn't change that the workaround is needed for people who already have it installed. Greg Lewis has already said that he's going to look at getting the package name fixed for the next release. > not vuln.xml! As cause of illness should always be cured, not the =20 > symptoms. And, after all, even that fix was partial: it fixed only jdk on= =20 > fbsd 6 - my fbsd 5 IS STILL "vulnerable". And this is only jdk, but we = =20 > have the same problem with jre. And not only for i386, but for amd64 also= =20 > - 6 packages total, not 1. Ah, yes those should also be handled. Both remko@ and I missed that when looking at fixing this. I will look at handling those packages also as soon as possible. --=20 Simon L. Nielsen FreeBSD Deputy Security Officer --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFDYkqNE7ltJU9KiERAuopAKDcLCEhRy0MciU3IsETjR7BMM6osgCgp7Rn hKFWdSCUbEZWKYKXT3GmMLk= =awK+ -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--