Date: Tue, 19 Feb 2013 01:03:13 +0100 From: Matthias Andree <mandree@FreeBSD.org> To: Steve Wills <swills@FreeBSD.org>, Eitan Adler <eadler@freebsd.org> Cc: ruby@freebsd.org Subject: ruby 1.8 (json issue) vs. vuxml Message-ID: <5122C141.3000707@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig43B08961E884194C7673F606 Content-Type: multipart/mixed; boundary="------------000004080503000902000600" This is a multi-part message in MIME format. --------------000004080503000902000600 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Greetings, following up to the IRC #bsdports discussion of Feb 18 23:30 UTC, where people were wondering about false positives in Ruby 1.8, I propose this change, with two effects: 1. make the "greater than" a "greater than or equal" 2. list the portepoch properly on the "ge" part, so that 1.8.7.371,1 is no more flagged as vulnerable. Watch: $ pkg_version -t 1.8.7.371,1 1.9 > $ pkg_version -t 1.8.7.371,1 1.9,1 < Thus, change vuln.xml like this: <package> <name>ruby</name> - <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range> + <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range> </package> <package> <name>rubygem18-json</name> and ruby 1.8.7.371,1 will no longer be flagged vulnerable WRT JSON stuff.= *NOTE:* A similar patch is required for the RDoc XSS issue. Full patch attached, to be applied in /usr/ports/security/vuxml/. HTH Best regards Matthias --------------000004080503000902000600 Content-Type: text/x-patch; name="ruby-fix-false-vulnerable.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ruby-fix-false-vulnerable.patch" Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- vuln.xml (Revision 312536) +++ vuln.xml (Arbeitskopie) @@ -191,7 +191,7 @@ <affects> <package> <name>ruby</name> - <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range> + <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range> </package> <package> <name>rubygem18-json</name> @@ -239,7 +239,7 @@ <affects> <package> <name>ruby</name> - <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range> + <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range> </package> <package> <name>rubygem18-rdoc</name> --------------000004080503000902000600-- --------------enig43B08961E884194C7673F606 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEiwUEACgkQvmGDOQUufZWVdACg4ncUoCi1ZvyKIHcXubh2E1d7 /JYAn3KEKC0NxWLOYh0AhnV8wzzIWCB3 =v4kj -----END PGP SIGNATURE----- --------------enig43B08961E884194C7673F606--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5122C141.3000707>