Date: Tue, 7 Aug 2018 12:34:42 +0200 From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org> To: Ben Woods <woodsb02@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r475048 - head/security/vuxml Message-ID: <20180807123442.18597c83@kalimero.tijl.coosemans.org> In-Reply-To: <201807210650.w6L6oa7M004156@repo.freebsd.org> References: <201807210650.w6L6oa7M004156@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 21 Jul 2018 06:50:36 +0000 (UTC) Ben Woods <woodsb02@FreeBSD.org> wrote: > Author: woodsb02 > Date: Sat Jul 21 06:50:36 2018 > New Revision: 475048 > URL: https://svnweb.freebsd.org/changeset/ports/475048 > > Log: > security/vuxml: document VLC vulnerability > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Sat Jul 21 02:13:28 2018 (r475047) > +++ head/security/vuxml/vuln.xml Sat Jul 21 06:50:36 2018 (r475048) > @@ -58,6 +58,42 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="dc57ad48-ecbb-439b-a4d0-5869be47684e"> > + <topic>vlc -- Use after free vulnerability</topic> > + <affects> > + <package> > + <name>vlc</name> > + <range><le>2.2.8_6,4</le></range> > + </package> > + <package> > + <name>vlc-qt4</name> > + <range><le>2.2.8_6,4</le></range> Please never use <le>. The port has been bumped without fixing the issue and is no longer marked vulnerable. Use <ge>first vulnerable version</ge> and/or <lt>first fixed version</lt>. AFAICT <gt> and <le> are always wrong. In this case you could use <ge>*</ge>.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180807123442.18597c83>