Date: Sun, 21 Jun 2015 14:54:30 +0000 From: Steve Wills <swills@FreeBSD.org> To: =?utf-8?B?SW5nLiBCxZlldGlzbGF2?= Kubesa <bretislav.kubesa@gmail.com> Cc: ruby@FreeBSD.org, ports@FreeBSD.org Subject: Re: FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while it isn't ? Message-ID: <20150621145426.GA39135@mouf.net> In-Reply-To: <55865D15.5010608@gmail.com> References: <55865D15.5010608@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Did you build your own ports where ruby 2.0 was default? I see the package = name here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml look like this: 3326 <name>ruby20</name> 3327 <range><lt>2.0.0.645,1</lt></range> =2E.. 3330 <name>ruby</name> 3331 <range><lt>2.1.6,1</lt></range> So I think maybe it's matching the second entry and then looking for a ruby version 2.1.6,1 or newer. Not sure what the right solution is for this right now. Steve On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. B=C5=99etislav Kubesa wrote: > Hi, >=20 > already for longer time while updating to 2.0.0.645,1 version, I'm=20 > getting message that it's vulnerable, but I think it's not the case as=20 > vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <=3D 2.0.0.645,1= ). > However I'm not sure where to report it for checking, so I hope it's the= =20 > right place here. >=20 > Thank you. >=20 >=20 > ---> Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20) > ---> Building '/usr/ports/lang/ruby20' > =3D=3D=3D> Cleaning for ruby-2.0.0.645,1 > =3D=3D=3D> ruby-2.0.0.645,1 has known vulnerabilities: > ruby-2.0.0.645,1 is vulnerable: > Ruby -- OpenSSL Hostname Verification Vulnerability > CVE: CVE-2015-1855 > WWW:=20 > http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html >=20 > Best regards, > Bretislav Kubesa > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJVhtAgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OEZBNDE0QTVDMkEwRUY5Q0ZEMEFEMERG NUNGNjJCMzIwN0IxQkExAAoJEPXPYrMgexuhAQAIAI+kAjiSB5fdUbQeDArE2fql rJK/sZeiintfhBUudi1RT3NrW3BI5DnIKcN+PnG0NFOsLa+cZOSi6Tvy6/0kMs/l +HDNCzrkH3343b6/sUFbqBQLiIZhS+TmsMTkaXgFZF1MudBQUpkuMVGCzOlkOWq/ nisNMQQCx2BeYvaK27bik9pyeVXQcx7hZA5PmCL2WXVJj8KS3hYNkaOcjJYhbpqi vrSP+RUyaXnZAJ47yW3ZBC9XmRzj8SoccVAQqdZiakeJwJV4TWtSL7O1DodLvgu1 sc+JIymT3J38X5VMn1nkk63drWTOKmA8SsUfB3ioDQwCKM1r8aQcYXxqDwUqQhw= =6XzQ -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150621145426.GA39135>