From owner-svn-ports-all@freebsd.org  Thu Apr  6 13:00:11 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62F42D2F268;
 Thu,  6 Apr 2017 13:00:11 +0000 (UTC) (envelope-from adamw@adamw.org)
Received: from apnoea.adamw.org (apnoea.adamw.org [104.225.5.94])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "apnoea.adamw.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CB0A380C;
 Thu,  6 Apr 2017 13:00:10 +0000 (UTC) (envelope-from adamw@adamw.org)
Received: by apnoea.adamw.org (OpenSMTPD) with ESMTPSA id cbf0ec65
 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO;
 Thu, 6 Apr 2017 07:00:03 -0600 (MDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: svn commit: r437790 - head/security/vuxml
From: Adam Weinberger <adamw@adamw.org>
In-Reply-To: <201704051434.v35EYFBe007232@repo.freebsd.org>
Date: Thu, 6 Apr 2017 07:00:01 -0600
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAC9A777-C72E-42C1-9F6A-E8FB834814CF@adamw.org>
References: <201704051434.v35EYFBe007232@repo.freebsd.org>
To: Bernard Spil <brnrd@freebsd.org>
X-Mailer: Apple Mail (2.3273)
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 13:00:11 -0000

> On 5 Apr, 2017, at 8:34, Bernard Spil <brnrd@freebsd.org> wrote:
>=20
> Author: brnrd
> Date: Wed Apr  5 14:34:15 2017
> New Revision: 437790
> URL: https://svnweb.freebsd.org/changeset/ports/437790
>=20
> Log:
>  security/vuxml: Document curl vulnerability
>=20
> Modified:
>  head/security/vuxml/vuln.xml
>=20
> Modified: head/security/vuxml/vuln.xml
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/security/vuxml/vuln.xml	Wed Apr  5 14:24:09 2017	=
(r437789)
> +++ head/security/vuxml/vuln.xml	Wed Apr  5 14:34:15 2017	=
(r437790)
> @@ -58,6 +58,39 @@ Notes:
>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid=3D"04f29189-1a05-11e7-bc6e-b499baebfeaf">
> +    <topic> -- </topic>
> +    <affects>
> +      <package>
> +	<name>curl</name>
> +	<range><ge>6.5</ge><lt>7.54.0</lt></range>

The port wasn't updated to 7.54.0, the CVE patch was added to 7.53.1. =
Shouldn't it be <lt>7.53.1_1</lt>? Currently, our patched port is listed =
as still being vulnerable.

# Adam


--=20
Adam Weinberger
adamw@adamw.org
https://www.adamw.org