From nobody Wed Aug 27 16:17:07 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cBqS13wlpz65G2l
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed, 27 Aug 2025 16:17:21 +0000 (UTC)
	(envelope-from martin@lispworks.com)
Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "*.lispworks.com", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cBqS03LNRz3YDw
	for <freebsd-security@freebsd.org>; Wed, 27 Aug 2025 16:17:20 +0000 (UTC)
	(envelope-from martin@lispworks.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=lispworks.com header.s=default header.b=Hnbeg6yO;
	dmarc=pass (policy=none) header.from=lispworks.com;
	spf=pass (mx1.freebsd.org: domain of martin@lispworks.com designates 46.17.166.21 as permitted sender) smtp.mailfrom=martin@lispworks.com
Received: from lwfs1-cam.cam.lispworks.com (localhost [[UNIX: localhost]])
	by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTP id 57RGHBwN009118
	for <freebsd-security@freebsd.org>; Wed, 27 Aug 2025 17:17:11 +0100 (BST)
	(envelope-from martin@lispworks.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lispworks.com;
	s=default; t=1756311431;
	bh=npQckr1qh5Ajkykgx+9lTVY9m9y/E9ibMngRNZlZIAU=;
	h=Date:From:To:CC:In-reply-to:Subject:References;
	b=Hnbeg6yOLCRn46MriVWrUB9VZypAK7P56BTag9qMMhI38FdN91WakzrlxieXrjhKy
	 /m9x8+R2W5f7xz9OL25xB6qqzYbfM96FXbGa+DJ1JjA5D/WnsQ4MomxfD9Iid5CzOw
	 WFTaz67jzTLaRgs5KKBQ35wdqF/jvTX9V4qBpAb4/QaLCGoE0mVYa4ol08nAfjdERK
	 LDpCWFCf8tQ08T8VKJTJt9FkdykTcnWhVt4m1pazYERK1jZWICGwAnmbiPP6BVdRp4
	 TbEbfTpgXpXDYSotLmzGjp0itt0FNaTFBTaqJJiD77GmenpLBFqzuIDzQs9km65tJB
	 doXDDB8UvzMRQ==
Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7])
	by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTPS id 57RGH7QC009098
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 27 Aug 2025 17:17:08 +0100 (BST)
	(envelope-from martin@lispworks.com)
Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 57RGH7tB018600; Wed, 27 Aug 2025 17:17:07 +0100
Received: (from martin@localhost)
	by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 57RGH7k6018596;
	Wed, 27 Aug 2025 17:17:07 +0100
Date: Wed, 27 Aug 2025 17:17:07 +0100
Message-Id: <202508271617.57RGH7k6018596@higson.cam.lispworks.com>
From: Martin Simmons <martin@lispworks.com>
To: "Wall, Stephen" <stephen.wall@redcom.com>
CC: freebsd-security@freebsd.org
In-reply-to:
	<MW4PR09MB9284A252FCA911BAEA06D5B4EE39A@MW4PR09MB9284.namprd09.prod.outlook.com>
	(stephen.wall@redcom.com)
Subject: Re: Possible error in FreeBSD's VuXML data
References: 
 <MW4PR09MB92843E097C039D15A8819523EE39A@MW4PR09MB9284.namprd09.prod.outlook.com> 
 <MW4PR09MB9284A252FCA911BAEA06D5B4EE39A@MW4PR09MB9284.namprd09.prod.outlook.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[lispworks.com,none];
	R_DKIM_ALLOW(-0.20)[lispworks.com:s=default];
	R_SPF_ALLOW(-0.20)[+mx];
	RWL_MAILSPIKE_GOOD(-0.10)[46.17.166.21:from];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:51055, ipnet:46.17.160.0/21, country:GB];
	MIME_TRACE(0.00)[0:+];
	FREEFALL_USER(0.00)[martin];
	TO_DN_SOME(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	RCVD_COUNT_THREE(0.00)[4];
	DKIM_TRACE(0.00)[lispworks.com:+]
X-Rspamd-Queue-Id: 4cBqS03LNRz3YDw

>>>>> On Tue, 26 Aug 2025 20:25:25 +0000, Wall, Stephen said:
> 
> I’d like to further point out that
> https://vuxml.freebsd.org/freebsd/b945ce3f-6f9b-11f0-bd96-b42e991fc52e.html
> is not being listed when I run `pkg audit` on the same system.  That
> vulnerability is listed in the `pkg audit sqlite2` output.  I think it
> should be, 3.46.1_1,1 is less than 3.49.1.

This is because the version number in this entry is missing the portepoch (the
",1" suffix), so it appears to be older than the installed version.

A script is needed to audit the vuxl to find these broken entries.

__Martin