Date: Sat, 31 Aug 2019 17:43:03 +1000 From: MJ <mafsys1234@gmail.com> To: =?UTF-8?Q?Trond_Endrest=c3=b8l?= <trond.endrestol@ximalas.info>, freebsd-questions@freebsd.org Subject: Re: ruby 2.4.7,1 considered vulnerable? Message-ID: <531cf12d-0038-ec72-f173-033d7b2d44ba@gmail.com> In-Reply-To: <alpine.BSF.2.21.99999.352.1908310904001.5686@enterprise.ximalas.info> References: <alpine.BSF.2.21.99999.352.1908310904001.5686@enterprise.ximalas.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31/08/2019 5:09 pm, Trond Endrestøl wrote: > Is this to be expected? > > $ pkg audit -Fr > vulnxml file up-to-date > ruby-2.4.7,1 is vulnerable: > RDoc -- multiple jQuery vulnerabilities > CVE: CVE-2015-9251 > CVE: CVE-2012-6708 > WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html > > Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade > > 1 problem(s) in 1 installed package(s) found. > > Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one > of the corrected versions: > > <package> > <name>ruby</name> > <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range> > <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range> > <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range> > </package> > > The link for vuxml.FreeBSD.org agrees with me on this one: > > Affected packages > 2.4.0 <= ruby < 2.4.7,1 > 2.5.0 <= ruby < 2.5.6,1 > 2.6.0 <= ruby < 2.6.3,1 > rubygem-rdoc < 6.1.2 > > Could this be a bug in pkg(8)? If the fix for the vulnerability is in 2.4.7 then it would seem that way. Given the liberal use of portepoch in the package versions I expect the maintainer has got confused. Indeed perhaps it's the portepoch that's causing the issue. Perhaps contact the maintainer to get it worked through?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531cf12d-0038-ec72-f173-033d7b2d44ba>