Date: Sun, 21 Jun 2015 19:55:37 +0000 From: "Ing. Bretislav Kubesa" <bretislav.kubesa@gmail.com> To: Steve Wills <swills@freebsd.org> Cc: ruby@freebsd.org, ports@freebsd.org Subject: Re: FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while it isn't ? Message-ID: <CA%2BDmxtB_pvQKR%2B8pHbJ3iG6sfOjrQmMVmmNzPtm=7m%2BOCZoknw@mail.gmail.com> In-Reply-To: <20150621145426.GA39135@mouf.net> References: <55865D15.5010608@gmail.com> <20150621145426.GA39135@mouf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, not sure if I can help further, but if I understand correctly, yes - ruby 2.0. is/was default. *pkg audit* (after forced upgrade) ruby-2.0.0.645,1 is vulnerable: Ruby -- OpenSSL Hostname Verification Vulnerability CVE: CVE-2015-1855 WWW: https://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html *pkg info | grep ruby* ruby-2.0.0.645,1 Object-oriented interpreted scripting language *make.conf* - ruby related part : # # Keep ruby 2.0 as default version # DEFAULT_VERSIONS+=3Druby=3D2.0 Best regards, Bretislav Kubesa ne 21. 6. 2015 v 16:54 odes=C3=ADlatel Steve Wills <swills@freebsd.org> nap= sal: > Hi, > > Did you build your own ports where ruby 2.0 was default? I see the packag= e > name > here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml lo= ok > like this: > > 3326 <name>ruby20</name> > 3327 <range><lt>2.0.0.645,1</lt></range> > > ... > > 3330 <name>ruby</name> > 3331 <range><lt>2.1.6,1</lt></range> > > So I think maybe it's matching the second entry and then looking for a ru= by > version 2.1.6,1 or newer. Not sure what the right solution is for this > right > now. > > Steve > > > On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. B=C5=99etislav Kubesa wrot= e: > > Hi, > > > > already for longer time while updating to 2.0.0.645,1 version, I'm > > getting message that it's vulnerable, but I think it's not the case as > > vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <=3D 2.0.0.645= ,1). > > However I'm not sure where to report it for checking, so I hope it's th= e > > right place here. > > > > Thank you. > > > > > > ---> Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20= ) > > ---> Building '/usr/ports/lang/ruby20' > > =3D=3D=3D> Cleaning for ruby-2.0.0.645,1 > > =3D=3D=3D> ruby-2.0.0.645,1 has known vulnerabilities: > > ruby-2.0.0.645,1 is vulnerable: > > Ruby -- OpenSSL Hostname Verification Vulnerability > > CVE: CVE-2015-1855 > > WWW: > > > http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.htm= l > > > > Best regards, > > Bretislav Kubesa > > _______________________________________________ > > freebsd-ports@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org= " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BDmxtB_pvQKR%2B8pHbJ3iG6sfOjrQmMVmmNzPtm=7m%2BOCZoknw>