From owner-freebsd-ports@FreeBSD.ORG Sun Jun 21 19:55:50 2015 Return-Path: Delivered-To: ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2C9021C4; Sun, 21 Jun 2015 19:55:50 +0000 (UTC) (envelope-from bretislav.kubesa@gmail.com) Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC025278; Sun, 21 Jun 2015 19:55:49 +0000 (UTC) (envelope-from bretislav.kubesa@gmail.com) Received: by lbbti3 with SMTP id ti3so97682049lbb.1; Sun, 21 Jun 2015 12:55:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=LwA4XflZLh2AEAnZUGKkCkSqRCp+47PKq9SDgS/+6Bs=; b=BUj7dAGQx03dag7dHPmhqCzLtTjcLPvdp5xPw/Lzo2KocHjlo3Pnc3Dv+nkCwIAxGb XIrlfvaIVnjJJwboiQDf461s5wnpLTN5UgnZB2nJAzDlulKjIHfwjIx3zYWMSNELc8zA qdHiMafMjTboOwOiAGwB1IfgC9+Al+qYaMIHWs3+moVvA7GQzl12xMhVFdUf0ivOYhqu Y9LEPnNtJINKerWy7cZYQoeJXOK4RW4grKYb3IoECc+Nc4HVFUzr956r9GAnZKrK62Qv GXzUqM+8dUj2sI7PsQMp39GA36kgSSCQVsBSrHOSFhpJKHDCasJNVegw39CkxU47u3Dy QqCg== X-Received: by 10.152.87.173 with SMTP id az13mr26306620lab.118.1434916547823; Sun, 21 Jun 2015 12:55:47 -0700 (PDT) MIME-Version: 1.0 References: <55865D15.5010608@gmail.com> <20150621145426.GA39135@mouf.net> In-Reply-To: <20150621145426.GA39135@mouf.net> From: "Ing. Bretislav Kubesa" Date: Sun, 21 Jun 2015 19:55:37 +0000 Message-ID: Subject: Re: FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while it isn't ? To: Steve Wills Cc: ruby@freebsd.org, ports@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2015 19:55:50 -0000 Hi, not sure if I can help further, but if I understand correctly, yes - ruby 2.0. is/was default. *pkg audit* (after forced upgrade) ruby-2.0.0.645,1 is vulnerable: Ruby -- OpenSSL Hostname Verification Vulnerability CVE: CVE-2015-1855 WWW: https://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html *pkg info | grep ruby* ruby-2.0.0.645,1 Object-oriented interpreted scripting language *make.conf* - ruby related part : # # Keep ruby 2.0 as default version # DEFAULT_VERSIONS+=3Druby=3D2.0 Best regards, Bretislav Kubesa ne 21. 6. 2015 v 16:54 odes=C3=ADlatel Steve Wills nap= sal: > Hi, > > Did you build your own ports where ruby 2.0 was default? I see the packag= e > name > here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml lo= ok > like this: > > 3326 ruby20 > 3327 2.0.0.645,1 > > ... > > 3330 ruby > 3331 2.1.6,1 > > So I think maybe it's matching the second entry and then looking for a ru= by > version 2.1.6,1 or newer. Not sure what the right solution is for this > right > now. > > Steve > > > On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. B=C5=99etislav Kubesa wrot= e: > > Hi, > > > > already for longer time while updating to 2.0.0.645,1 version, I'm > > getting message that it's vulnerable, but I think it's not the case as > > vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <=3D 2.0.0.645= ,1). > > However I'm not sure where to report it for checking, so I hope it's th= e > > right place here. > > > > Thank you. > > > > > > ---> Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20= ) > > ---> Building '/usr/ports/lang/ruby20' > > =3D=3D=3D> Cleaning for ruby-2.0.0.645,1 > > =3D=3D=3D> ruby-2.0.0.645,1 has known vulnerabilities: > > ruby-2.0.0.645,1 is vulnerable: > > Ruby -- OpenSSL Hostname Verification Vulnerability > > CVE: CVE-2015-1855 > > WWW: > > > http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.htm= l > > > > Best regards, > > Bretislav Kubesa > > _______________________________________________ > > freebsd-ports@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org= " >