Date: Mon, 21 Sep 2015 06:24:08 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 203227] vuln.xml incorrectly flagging ruby20 as insecure Message-ID: <bug-203227-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203227 Bug ID: 203227 Summary: vuln.xml incorrectly flagging ruby20 as insecure Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Ports Framework Assignee: portmgr@FreeBSD.org Reporter: terry@tmk.com CC: freebsd-ports-bugs@FreeBSD.org "pkg audit -F" incorrectly reports ruby-2.0.0.647,1 as vulnerable. I have confirmed that it is NOT vulnerable by checking both https://www.ruby-lang.org/en/ and https://vuxml.freebsd.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html. I have "DEFAULT_VERSIONS+=ruby=2.0" in my /etc/make.conf file. It appears that the problem is in the vuln.xml file, as it checks for installed ports named ruby20, ruby, and ruby22. If I remove the vuln.xml entry for "ruby", the ruby20 port is no longer marked as vulnerable. It appears that some part of the ports framework thinks that ruby20 is "ruby" for purposes of checking for vulnerabilities. I am not sure why that is happening, as "pkg info -o ruby" reports the origin as ruby20. Note: Bug filed after emailing ruby@freebsd.org and receiving no response after 10 days. -- You are receiving this mail because: You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203227-13>