Date: Tue, 19 Feb 2013 01:03:13 +0100 From: Matthias Andree <mandree@FreeBSD.org> To: Steve Wills <swills@FreeBSD.org>, Eitan Adler <eadler@freebsd.org> Cc: ruby@freebsd.org Subject: ruby 1.8 (json issue) vs. vuxml Message-ID: <5122C141.3000707@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig43B08961E884194C7673F606
Content-Type: multipart/mixed;
boundary="------------000004080503000902000600"
This is a multi-part message in MIME format.
--------------000004080503000902000600
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Greetings,
following up to the IRC #bsdports discussion of Feb 18 23:30 UTC, where
people were wondering about false positives in Ruby 1.8, I propose this
change, with two effects:
1. make the "greater than" a "greater than or equal"
2. list the portepoch properly on the "ge" part, so that 1.8.7.371,1 is
no more flagged as vulnerable.
Watch:
$ pkg_version -t 1.8.7.371,1 1.9
>
$ pkg_version -t 1.8.7.371,1 1.9,1
<
Thus, change vuln.xml like this:
<package>
<name>ruby</name>
- <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range>
+ <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-json</name>
and ruby 1.8.7.371,1 will no longer be flagged vulnerable WRT JSON stuff.=
*NOTE:* A similar patch is required for the RDoc XSS issue.
Full patch attached, to be applied in /usr/ports/security/vuxml/.
HTH
Best regards
Matthias
--------------000004080503000902000600
Content-Type: text/x-patch;
name="ruby-fix-false-vulnerable.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ruby-fix-false-vulnerable.patch"
Index: vuln.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- vuln.xml (Revision 312536)
+++ vuln.xml (Arbeitskopie)
@@ -191,7 +191,7 @@
<affects>
<package>
<name>ruby</name>
- <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range>
+ <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-json</name>
@@ -239,7 +239,7 @@
<affects>
<package>
<name>ruby</name>
- <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range>
+ <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-rdoc</name>
--------------000004080503000902000600--
--------------enig43B08961E884194C7673F606
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlEiwUEACgkQvmGDOQUufZWVdACg4ncUoCi1ZvyKIHcXubh2E1d7
/JYAn3KEKC0NxWLOYh0AhnV8wzzIWCB3
=v4kj
-----END PGP SIGNATURE-----
--------------enig43B08961E884194C7673F606--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5122C141.3000707>