Date: Sun, 17 Sep 2006 19:43:07 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Vadim Goncharov <vadimnuclight@tpu.ru> Cc: Greg Lewis <glewis@freebsd.org>, freebsd-bugs@freebsd.org, bug-followup@freebsd.org, freebsd-java@freebsd.org Subject: Re: ports/103313: portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming Message-ID: <20060917174306.GA33937@zaphod.nitro.dk> In-Reply-To: <optfzidkw74fjv08@nuclight.avtf.net> References: <200609161726.k8GHQrRW013690@freefall.freebsd.org> <optfzidkw74fjv08@nuclight.avtf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.09.17 01:45:10 +0700, Vadim Goncharov wrote: > 17.09.06 @ 00:26 Greg Lewis wrote: >=20 > >Synopsis: portaudit reports bogus java/diablo-jdk15 vulnerabity due to = =20 > >incorrect pkg naming > > > >State-Changed-From-To: open->closed > >State-Changed-By: glewis > >State-Changed-When: Sat Sep 16 17:26:05 UTC 2006 > >State-Changed-Why: > >This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131). > > > >http://www.freebsd.org/cgi/query-pr.cgi?pr=3D103313 >=20 > That's VERY BAD method of fixing things. Package names should be changed,= =20 No it's not. While it sucks we have to add such workarounds to the VuXML document there really isn't any other way to do it, and it isn't the first time we have to do it. The package with the bad name it out there and being flagged as vulnerable when it isn't. Yes, the package name should be fixed, but that doesn't change that the workaround is needed for people who already have it installed. Greg Lewis has already said that he's going to look at getting the package name fixed for the next release. > not vuln.xml! As cause of illness should always be cured, not the =20 > symptoms. And, after all, even that fix was partial: it fixed only jdk on= =20 > fbsd 6 - my fbsd 5 IS STILL "vulnerable". And this is only jdk, but we = =20 > have the same problem with jre. And not only for i386, but for amd64 also= =20 > - 6 packages total, not 1. Ah, yes those should also be handled. Both remko@ and I missed that when looking at fixing this. I will look at handling those packages also as soon as possible. --=20 Simon L. Nielsen FreeBSD Deputy Security Officer --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFDYkqNE7ltJU9KiERAuopAKDcLCEhRy0MciU3IsETjR7BMM6osgCgp7Rn hKFWdSCUbEZWKYKXT3GmMLk= =awK+ -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060917174306.GA33937>