Date: Wed, 25 Jul 2007 00:43:30 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Xin LI <delphij@delphij.net> Cc: cvs-ports@FreeBSD.ORG, Xin LI <delphij@FreeBSD.ORG>, cvs-all@FreeBSD.ORG, ports-committers@FreeBSD.ORG Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <20070724224329.GE1003@zaphod.nitro.dk> In-Reply-To: <46A67D87.7090108@delphij.net> References: <200707241417.l6OEH7oG049577@repoman.freebsd.org> <20070724222656.GD1003@zaphod.nitro.dk> <46A67D87.7090108@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2007.07.25 06:30:31 +0800, Xin LI wrote: > Simon L. Nielsen wrote: >> On 2007.07.24 14:17:07 +0000, Xin LI wrote: >>> delphij 2007-07-24 14:17:07 UTC >>> >>> FreeBSD ports repository >>> >>> Modified files: >>> security/vuxml vuln.xml Log: >>> The previous vuxml entry applies to jakarta-tomcat 4.0.x as well, so >>> mark >>> it as affected as well. Since there is no newer release I have used >>> 4.1.0 >>> as the "fixed" version. >> Has it actually been fixed in 4.1.0? If not you should just not set a >> top version to avoid a new release which actually doesn't fix the >> issue being marked secure. > > No. The version is chosen because that 4.1.0 is greater than the possible > version (the port itself is 4.0.x). Should there be a better way to > represent it, please feel free to commit a fix, thanks! I just checked http://tomcat.apache.org/security-4.html - and from reading that the fixes should be in 4.1.36 (even if that isn't in ports), does that seem correct? I never used tomcat so I don't know if there I'm missing something. If it is fixed in upstream 4.1.36 it would be fine just to mark the vulnerability as fixed in 4.1.36, even if that isn't in ports yet. -- Simon L. Nielsen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070724224329.GE1003>