Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Feb 2015 06:25:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        ruby@FreeBSD.org
Subject:   [Bug 197875] [PATCH] lang/ruby22: fix false-positive vulnerabilities when set as default ruby version.
Message-ID:  <bug-197875-21402@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197875

            Bug ID: 197875
           Summary: [PATCH] lang/ruby22: fix false-positive
                    vulnerabilities when set as default ruby version.
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ruby@FreeBSD.org
          Reporter: freebsd.org@pob01.utahime.jp
          Assignee: ruby@FreeBSD.org
             Flags: maintainer-feedback?(ruby@FreeBSD.org)

When set as default ruby version, lang/ruby22 fails to build because of
false-positive vulnerabilities as following:

root@rolling-vm-freebsd1:/ # grep DEFAULT_VERSIONS /etc/make.conf
DEFAULT_VERSIONS=       apache=2.4 perl5=5.20 php=5.5 ruby=2.2
root@rolling-vm-freebsd1:/ # cd /usr/ports/lang/ruby22/
root@rolling-vm-freebsd1:/usr/ports/lang/ruby22 # make
===>  ruby-2.2.0 has known vulnerabilities:
ruby-2.2.0 is vulnerable:
ruby -- multiple vulnerabilities
CVE: CVE-2006-3694
WWW: http://vuxml.FreeBSD.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html

ruby-2.2.0 is vulnerable:
Multiple implementations -- DoS via hash algorithm collision
CVE: CVE-2011-5037
CVE: CVE-2011-5036
CVE: CVE-2011-4815
CVE: CVE-2011-4838
WWW: http://vuxml.FreeBSD.org/freebsd/91be81e7-3fea-11e1-afc7-2c4138874f7d.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update
available.
=> If you wish to ignore this vulnerability rebuild with 'make
DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[1]: stopped in /am/eastasia/usr0/freebsd/ports/ports/lang/ruby22
*** Error code 1

Stop.
make: stopped in /am/eastasia/usr0/freebsd/ports/ports/lang/ruby22
root@rolling-vm-freebsd1:/usr/ports/lang/ruby22 #

Attached patch fixes the issue.

--- Comment #1 from Bugzilla Automation <bugzilla@FreeBSD.org> ---
Auto-assigned to maintainer ruby@FreeBSD.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197875-21402>