From owner-freebsd-questions@freebsd.org Sat Aug 31 07:10:00 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 47485E6D5F for ; Sat, 31 Aug 2019 07:10:00 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (enterprise.ximalas.info [IPv6:2001:700:1100:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ximalas.info", Issuer "Hostmaster ximalas.info" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46L6tH2VNKz47LJ for ; Sat, 31 Aug 2019 07:09:58 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (Ximalas@localhost [127.0.0.1]) by enterprise.ximalas.info (8.15.2/8.15.2) with ESMTPS id x7V79jLi013245 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sat, 31 Aug 2019 09:09:45 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ximalas.info; s=default; t=1567235385; bh=d7aCIVrHzJqzNfKM1BwZSIeiWmDCvuQ+FyS+l4bOSV8=; h=Date:From:To:Subject; b=QbnVfROOS2xkIC5/cyX+ijKCqsDdSH8jGBdH+SZHNKBu7zp1YJUzHLG/3/R0nwRJL Sdz6ZYWfhiBmU43jJ8DWInYfvz0GH8N12CxTlVR7B+pKXEVrijS3ykAZKXS9qw4YRR sGrsJYqdDVDYI4u9ctZa6uRstux9e3+AsugfZT8oGz5hSXKwNhn7SOXer3yafwNXqD GNC9Ec4WqmKiG2hdSsccThJjAjJ7RGKHgKlmhE2VHVvHzLd5rw7EXcODDVz5/SL9Qy MghnZHm6LZFPitYvFZ1VAH3pgYox2jwkbspoy6K5PkTp2tNngSfNYb0E9y9Zz9PO9H GEo/d2AN5aeVg== Received: from localhost (trond@localhost) by enterprise.ximalas.info (8.15.2/8.15.2/Submit) with ESMTP id x7V79jU4013242 for ; Sat, 31 Aug 2019 09:09:45 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) X-Authentication-Warning: enterprise.ximalas.info: trond owned process doing -bs Date: Sat, 31 Aug 2019 09:09:45 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Sender: Trond.Endrestol@ximalas.info To: freebsd-questions@freebsd.org Subject: ruby 2.4.7,1 considered vulnerable? Message-ID: User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22) OpenPGP: url=http://ximalas.info/about/tronds-openpgp-public-key MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on enterprise.ximalas.info X-Rspamd-Queue-Id: 46L6tH2VNKz47LJ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ximalas.info header.s=default header.b=QbnVfROO; dmarc=pass (policy=none) header.from=ximalas.info; spf=pass (mx1.freebsd.org: domain of trond.endrestol@ximalas.info designates 2001:700:1100:1::8 as permitted sender) smtp.mailfrom=trond.endrestol@ximalas.info X-Spamd-Result: default: False [-4.57 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ximalas.info:s=default]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; HAS_XAW(0.00)[]; DKIM_TRACE(0.00)[ximalas.info:+]; DMARC_POLICY_ALLOW(-0.50)[ximalas.info,none]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; IP_SCORE(-1.58)[ip: (-6.94), ipnet: 2001:700::/32(-0.56), asn: 224(-0.40), country: NO(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:224, ipnet:2001:700::/32, country:NO]; SUBJECT_ENDS_QUESTION(1.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2019 07:10:00 -0000 Is this to be expected? $ pkg audit -Fr vulnxml file up-to-date ruby-2.4.7,1 is vulnerable: RDoc -- multiple jQuery vulnerabilities CVE: CVE-2015-9251 CVE: CVE-2012-6708 WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade 1 problem(s) in 1 installed package(s) found. Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one of the corrected versions: ruby 2.4.02.4.7,1 2.5.02.5.6,1 2.6.02.6.3,1 The link for vuxml.FreeBSD.org agrees with me on this one: Affected packages 2.4.0 <= ruby < 2.4.7,1 2.5.0 <= ruby < 2.5.6,1 2.6.0 <= ruby < 2.6.3,1 rubygem-rdoc < 6.1.2 Could this be a bug in pkg(8)? -- Trond.