Date: Sat, 31 Aug 2019 09:09:45 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= <trond.endrestol@ximalas.info> To: freebsd-questions@freebsd.org Subject: ruby 2.4.7,1 considered vulnerable? Message-ID: <alpine.BSF.2.21.99999.352.1908310904001.5686@enterprise.ximalas.info>
next in thread | raw e-mail | index | archive | help
Is this to be expected? $ pkg audit -Fr vulnxml file up-to-date ruby-2.4.7,1 is vulnerable: RDoc -- multiple jQuery vulnerabilities CVE: CVE-2015-9251 CVE: CVE-2012-6708 WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade 1 problem(s) in 1 installed package(s) found. Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one of the corrected versions: <package> <name>ruby</name> <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range> <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range> <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range> </package> The link for vuxml.FreeBSD.org agrees with me on this one: Affected packages 2.4.0 <= ruby < 2.4.7,1 2.5.0 <= ruby < 2.5.6,1 2.6.0 <= ruby < 2.6.3,1 rubygem-rdoc < 6.1.2 Could this be a bug in pkg(8)? -- Trond.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.99999.352.1908310904001.5686>