Date: Sun, 20 Feb 2011 18:30:14 GMT From: "Matthias Andree" <mandree@FreeBSD.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/154911: bogus linux-jdk entry in vuln.xml? Message-ID: <201102201830.p1KIUE1x071823@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/154911; it has been noted by GNATS.
From: "Matthias Andree" <mandree@FreeBSD.org>
To: "Remko Lodder" <remko@FreeBSD.org>, freebsd-gnats-submit@FreeBSD.org
Cc: "Matthias Andree" <mandree@FreeBSD.org>,
"Simon Nielsen" <simon@FreeBSD.org>, ports-security@FreeBSD.org
Subject: Re: ports/154911: bogus linux-jdk entry in vuln.xml?
Date: Sun, 20 Feb 2011 19:27:41 +0100
Remko Lodder, 2011-02-20:
> The entry has this:
>
> 41915 <package>
> 41916 <name>linux-sun-jdk</name>
> 41917 <range><le>1.4.2.08_1</le></range>
> 41918 <range><ge>1.5.*</ge><le>1.5.2.02,2</le></range>
> 41919 </package>
>
> so it shouldnt block your upgrade.
>
> The PKGNAME is:
>
> linux-sun-jdk-1.6.0.24
>
> Which is used to do the matching (linux-sun-jdk being the PKG and 1.6.0.24
> being the VERSION).
>
> That said; i dont know why this blocks..
I do now, after hacking vxquery to print matched name + range.
Read line 41918 again, very closely, and pay attention to PORTEPOCH -
basically line 41918 marks all versions with PORTEPOCH 0 and 1 vulnerable,
and all with PORTEPOCH 2 and a version <= 1.5.2.02,2. Oops.
Bottom line: affects elements need to have one line per PORTEPOCH affected
if there are mulitple package versions in parallel, such as
linux-sun-jdk15 and linux-sun-jdk16.
Also note that there should be no versions containing ".*" anywhere
because we use version comparison, not globbing.
--
Matthias Andree
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102201830.p1KIUE1x071823>