Date: Mon, 10 Aug 2009 18:41:27 +0100 From: Ben Morrow <ben@morrow.me.uk> To: hawei@free.fr, freebsd-stable@freebsd.org Subject: Re: status of flash9/flash10 support in RELENG_7 ? Message-ID: <20090810174127.GA63355@osiris.mauzo.dyndns.org> In-Reply-To: <20090810080406.GA1608@pollux.local.net> References: <20090725013500.GC62402@onelab2.iet.unipi.it> <20090725073805.GA11455@abigail.blackend.org> <20090806211401.GB2546@pollux.local.net> <68208453@h30.sp.ipt.ru> <20090809220452.GA56972@osiris.mauzo.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth Harald <hawei@free.fr>: > On Sun, Aug 09, 2009 at 11:04:52PM +0100, Ben Morrow wrote: > > > I was about to say 'I believe the vuxml entry for firefox is incorrect', > > but I see it's been fixed. Neither 3.0.13 nor 3.5.2 are vulnerable, and > > vuxml now correctly reports this. > > Today security/vuxml/vuln.xml says: > > <affects> > <package> > <name>firefox</name> > <name>linux-firefox</name> > <range><lt>3.*,1</lt></range> > <range><gt>3.*,1</gt><lt>3.0.13,1</lt></range> > <range><gt>3.5.*,1</gt><lt>3.5.2,1</lt></range> > </package> > > 1. Could someone tell me the meaning of the ``*'' values please ? > I can't see the logic of the range lines. 3.* is the lowest possible version starting with '3.': in particular, it's less than 3.0 and less than 3.a . So the <lt>3.*,1</lt> will match anything less than firefox3. The next two lines deal with the specifics of which firefox3 versions are vulnerable. > 2. Yesterday I installed firefox quickly with ``pkg_add -r firefox3'' > and got firefox-3.0.10,1. > Portaudit declares it vulnerable which seems to correspond > to the second range line. > I guess I have to compile firefox3 to be clean ? 3.0.10,1 is vulnerable, yes. If there aren't packages for 3.0.13,1 yet you will need to compile it yourself. Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090810174127.GA63355>