Date: Mon, 31 Jul 2006 23:53:25 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: vuxml@freebsd.org Subject: Re: correct versions for lang/ruby18? Message-ID: <20060731215324.GD1154@zaphod.nitro.dk> In-Reply-To: <44CD4616.6955.1CD8B337@dan.langille.org> References: <44CD4616.6955.1CD8B337@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006.07.30 23:51:50 -0400, Dan Langille wrote: > Are the versions for ruby18 specified correctly here? > > http://www.vuxml.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html > > 1.6.* < ruby < 1.8.* > 1.8.* < ruby < 1.8.4_9,1 > 1.6.* < ruby_static < 1.8.* > 1.8.* < ruby_static < 1.8.4_9,1 > > Is that expected? Doesn't 1.8.* mean 1.8.4_9,1 is also affected? > > Perhaps 1.8.* should be 1.8 That seems correct to me (it should better, I suggsted it ;-) ). "*" means basically the smallest possible version and "less than" is used, not "less than equal", so the above entries for 1.6 means any version larger than the smallest 1.6 and less than any 1.8 version. Of cause the above really could be minimized to "ruby < 1.8.4_9,1" and drop the 1.6 entry. The reason that wasn't done was to make it simpler to add fixed version info for 1.6 if that comes... There is also the sidenote that since ruby 1.8.* above does not include epoch 1 (,1 in version) and ruby 1.8 is now at port epoch 1 it could never match, since "lowest_version,1 > higest_version". The reason for using .* is to catch any beta version etc. (frankly I'm not really sure right now if it's really an issue for ruby here but I'm a bit to tired to really double check). You can see the problem here: [simon@zaphod:~] pkg_version -t 1.8.0.p1 '1.8.*' > [simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8 < [simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8.0 < Both portaudit and vxquery seems to agree that the entry is correct: [simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_9,1' [simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_8,1' ruby-1.8.4_8,1 [simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_9,1' [simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_8,1' Topic: ruby - multiple vulnerabilities Affects: 1.6.* < ruby < 1.8.* 1.8.* < ruby < 1.8.4_9,1 1.6.* < ruby_static < 1.8.* 1.8.* < ruby_static < 1.8.4_9,1 References: bid:18944 cvename:CVE-2006-3694 url:http://secunia.com/advisories/21009/ url:http://jvn.jp/jp/JVN%2383768862/index.html url:http://jvn.jp/jp/JVN%2313947696/index.html <URL:http://vuxml.freebsd.org/76562594-1f19-11db-b7d4-0008743bf21a.html>; -- Simon L. Nielsen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060731215324.GD1154>