Date: Fri, 31 Aug 2018 12:24:28 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-security@freebsd.org Subject: Re: Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11? / PR 231054 Message-ID: <9787dd02-177c-e5cf-0368-10cf8aca2e6f@quip.cz> In-Reply-To: <b3a70fdc-e072-50be-634d-c193f776243c@quip.cz> References: <b3a70fdc-e072-50be-634d-c193f776243c@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Miroslav Lachman wrote on 2018/08/28 00:20: > Running pkg audit FreeBSD-10.4_11 gives me one vulnerability: > > # pkg audit FreeBSD-10.4_11 > FreeBSD-10.4_11 is vulnerable: > wpa_supplicant -- unauthenticated encrypted EAPOL-Key data > CVE: CVE-2018-14526 > WWW: > https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html > > 1 problem(s) in the installed packages found. > > But information on the page shows it was fixed in 10.4-p10: > > Affected packages > wpa_supplicant < 2.6_2 > FreeBSD <= 10.4_10 > FreeBSD <= 11.2_1 > > So... was it really fixed? Is there incorrect info in VuXML database > file or on the web page? As noted privately by Dan Lukes, there is wrong entry in vuln.xml - missing < 10.4 and < 11.2 (start of the range) --- vuln.xml.orig 2018-08-30 03:02:57.656941000 +0200 +++ vuln.xml 2018-08-31 12:13:53.564345000 +0200 @@ -525,8 +525,8 @@ </package> <package> <name>FreeBSD</name> - <range><le>10.4_10</le></range> - <range><le>11.2_1</le></range> + <range><ge>10.4</ge><le>10.4_10</le></range> + <range><ge>11.2</ge><le>11.2_1</le></range> </package> </affects> <description> See PR 231054. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9787dd02-177c-e5cf-0368-10cf8aca2e6f>