Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Dec 2020 16:13:34 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 251995] security/vuxml request for version ranges for www/node entries
Message-ID:  <bug-251995-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251995

            Bug ID: 251995
           Summary: security/vuxml request for version ranges for www/node
                    entries
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: 000.fbsd@quip.cz
                CC: bhughes@freebsd.org, ports-secteam@FreeBSD.org
                CC: bhughes@freebsd.org, ports-secteam@FreeBSD.org

I would like to ask for version range of www/node
https://vuxml.freebsd.org/freebsd/ad792169-2aa4-11eb-ab71-0022489ad614.html

The current specifiacation is:

Affected packages
node    <       15.2.1
node14  <       14.15.1
node12  <       12.19.1

www/node is specified without the lower end so if fix for www/node in quate=
rly
branch is backported from www/node14 then we have a port www/node of version
14.15.1 which is not vulnerable but is reported vulnerable be pkg audit.
Can the "affected" be always  specified as "X.0.0 < X.Y.Z" and not just "<
X.Y.Z"?
example:=20
node -  15.0.0 < 15.2.1
node14 - 14.0.0 < 14.15.1
node12 - 12.0.0 < 12.19.1

Similar situation affect some other ports (vulnerabilities) too. It caused
problems for FreeBSD base vulnerablity too (last week)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251995-7788>