From owner-freebsd-ports@FreeBSD.ORG  Fri Feb 22 10:12:40 2013
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 6989E8EA
 for <freebsd-ports@freebsd.org>; Fri, 22 Feb 2013 10:12:40 +0000 (UTC)
 (envelope-from mexas@bristol.ac.uk)
Received: from dirj.bris.ac.uk (dirj.bris.ac.uk [137.222.10.78])
 by mx1.freebsd.org (Postfix) with ESMTP id 0B36132E
 for <freebsd-ports@freebsd.org>; Fri, 22 Feb 2013 10:12:39 +0000 (UTC)
Received: from ncsc.bris.ac.uk ([137.222.10.41])
 by dirj.bris.ac.uk with esmtp (Exim 4.72)
 (envelope-from <mexas@bristol.ac.uk>) id 1U8pcM-0000jk-Bv
 for freebsd-ports@freebsd.org; Fri, 22 Feb 2013 10:12:38 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
 by ncsc.bris.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72)
 (envelope-from <mexas@bris.ac.uk>) id 1U8pcM-0006xw-1s
 for freebsd-ports@freebsd.org; Fri, 22 Feb 2013 10:12:38 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
 by mech-cluster241.men.bris.ac.uk (8.14.6/8.14.6) with ESMTP id r1MACbMS025427
 for <freebsd-ports@freebsd.org>; Fri, 22 Feb 2013 10:12:37 GMT
 (envelope-from mexas@mech-cluster241.men.bris.ac.uk)
Received: (from mexas@localhost)
 by mech-cluster241.men.bris.ac.uk (8.14.6/8.14.6/Submit) id r1MACbmS025426
 for freebsd-ports@freebsd.org; Fri, 22 Feb 2013 10:12:37 GMT
 (envelope-from mexas)
Date: Fri, 22 Feb 2013 10:12:37 GMT
From: Anton Shterenlikht <mexas@bristol.ac.uk>
Message-Id: <201302221012.r1MACbmS025426@mech-cluster241.men.bris.ac.uk>
To: freebsd-ports@freebsd.org
Subject: RE: ruby-1.8.7.371,1 is vulnerable ?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: mexas@bristol.ac.uk
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2013 10:12:40 -0000

On 19-FEB I saw in the daily logs:

Checking for packages with security vulnerabilities:
Database fetched: Mon Feb 18 03:02:54 GMT 2013
ruby-1.8.7.371,1 is vulnerable:
Ruby -- XSS exploit of RDoc documentation generated by rdoc

WWW: http://portaudit.FreeBSD.org/d3e96508-056b-4259-88ad-50dc8d1978a6.html

ruby-1.8.7.371,1 is vulnerable:
Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

WWW: http://portaudit.FreeBSD.org/c79eb109-a754-45d7-b552-a42099eb2265.html


But there is nothing in UPDATING, and now this
warning has gone, while the port has not been updated:

$ pkg version -vX ruby
ruby-1.8.7.371,1                   =   up-to-date with port

So is this port vulnerable or not?
If yet, should I switch to lang/ruby19?
If not, was this some false positive,
corrected later?

Thanks

Anton