From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Feb 20 15:50:09 2011 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64BC010656A8 for ; Sun, 20 Feb 2011 15:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2D5968FC16 for ; Sun, 20 Feb 2011 15:50:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1KFo9mn000677 for ; Sun, 20 Feb 2011 15:50:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1KFo9rM000676; Sun, 20 Feb 2011 15:50:09 GMT (envelope-from gnats) Resent-Date: Sun, 20 Feb 2011 15:50:09 GMT Resent-Message-Id: <201102201550.p1KFo9rM000676@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthias Andree Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by hub.freebsd.org (Postfix) with ESMTP id 8E473106566B; Sun, 20 Feb 2011 15:42:43 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from mandree by apollo.emma.line.org with local (Exim 4.74 (FreeBSD)) (envelope-from ) id 1PrBQo-0003ng-IC; Sun, 20 Feb 2011 16:42:42 +0100 Message-Id: Date: Sun, 20 Feb 2011 13:01:26 +0100 From: Matthias Andree Sender: Matthias Andree To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: remko@FreeBSD.org, secteam@FreeBSD.org, simon@FreeBSD.org Subject: ports/154911: bogus linux-jdk entry in vuln.xml? X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Andree List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 15:50:09 -0000 >Number: 154911 >Category: ports >Synopsis: bogus linux-jdk entry in vuln.xml? >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 20 15:50:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 8.2-PRERELEASE amd64 >Organization: FreeBSD >Environment: System: FreeBSD apollo.emma.line.org 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #61: Tue Feb 15 23:03:47 CET 2011 root@apollo.emma.line.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Greetings, vuln.xml as of revision 1.633 (Sat Apr 16 22:35:09 2005 UTC) committed by remko and approved by simon, contains these lines in the vid="18e5428f-ae7c-11d9-837d-000e0c2e438a" section - sorry rewriting to pseudo-lisp syntax to avoid send-pr comment stripping: (vuln vid="..." (topic)(affects (package (name linux-jdk)(range >= 0)))) Apparently this blocks linux-sun-jdk-1.6.0.24 upgrades in ports. Could someone check this entry for me so that we can upgrade linux-sun-jdk without forcing DISABLE_VULNERABILITIES? Thanks. I also wonder what the general policy WRT PKGNAMEPREFIX vs. PORTNAME is for the vulnerability checking. Error received from how-to-repeat section (apparently bogus): ===> linux-sun-jdk-1.6.0.24 has known vulnerabilities: => jdk -- jar directory traversal vulnerability. Reference: http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html >How-To-Repeat: cd /usr/ports/java/linux-sun-jdk16 && make >Fix: >Release-Note: >Audit-Trail: >Unformatted: