From owner-freebsd-ruby@FreeBSD.ORG Tue Feb 19 00:03:15 2013 Return-Path: Delivered-To: ruby@freebsd.org Received: from mandree.no-ip.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 3C19E5D3; Tue, 19 Feb 2013 00:03:15 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by apollo.emma.line.org (Postfix) with ESMTP id 55CE923CEA7; Tue, 19 Feb 2013 01:03:14 +0100 (CET) Message-ID: <5122C141.3000707@FreeBSD.org> Date: Tue, 19 Feb 2013 01:03:13 +0100 From: Matthias Andree User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 MIME-Version: 1.0 To: Steve Wills , Eitan Adler Subject: ruby 1.8 (json issue) vs. vuxml X-Enigmail-Version: 1.4.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig43B08961E884194C7673F606" Cc: ruby@freebsd.org X-BeenThere: freebsd-ruby@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: FreeBSD-specific Ruby discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 00:03:15 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig43B08961E884194C7673F606 Content-Type: multipart/mixed; boundary="------------000004080503000902000600" This is a multi-part message in MIME format. --------------000004080503000902000600 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Greetings, following up to the IRC #bsdports discussion of Feb 18 23:30 UTC, where people were wondering about false positives in Ruby 1.8, I propose this change, with two effects: 1. make the "greater than" a "greater than or equal" 2. list the portepoch properly on the "ge" part, so that 1.8.7.371,1 is no more flagged as vulnerable. Watch: $ pkg_version -t 1.8.7.371,1 1.9 > $ pkg_version -t 1.8.7.371,1 1.9,1 < Thus, change vuln.xml like this: ruby - 1.91.9.3.385,1 + 1.9,11.9.3.385,1 rubygem18-json and ruby 1.8.7.371,1 will no longer be flagged vulnerable WRT JSON stuff.= *NOTE:* A similar patch is required for the RDoc XSS issue. Full patch attached, to be applied in /usr/ports/security/vuxml/. HTH Best regards Matthias --------------000004080503000902000600 Content-Type: text/x-patch; name="ruby-fix-false-vulnerable.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ruby-fix-false-vulnerable.patch" Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- vuln.xml (Revision 312536) +++ vuln.xml (Arbeitskopie) @@ -191,7 +191,7 @@ ruby - 1.91.9.3.385,1 + 1.9,11.9.3.385,1 rubygem18-json @@ -239,7 +239,7 @@ ruby - 1.91.9.3.385,1 + 1.9,11.9.3.385,1 rubygem18-rdoc --------------000004080503000902000600-- --------------enig43B08961E884194C7673F606 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEiwUEACgkQvmGDOQUufZWVdACg4ncUoCi1ZvyKIHcXubh2E1d7 /JYAn3KEKC0NxWLOYh0AhnV8wzzIWCB3 =v4kj -----END PGP SIGNATURE----- --------------enig43B08961E884194C7673F606--