Date: Wed, 25 May 2011 01:59:55 +0200 From: Olli Hauer <ohauer@FreeBSD.org> To: Wesley Shields <wxs@FreeBSD.org> Cc: Olli Hauer <ohauer@FreeBSD.org>, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <4DDC467B.7030305@FreeBSD.org> In-Reply-To: <20110524233622.GB77710@atarininja.org> References: <201105242259.p4OMxqYO099440@repoman.freebsd.org> <20110524232400.GA77710@atarininja.org> <4DDC3EAE.6030802@gmx.de> <20110524233622.GB77710@atarininja.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2011-05-25 01:36, Wesley Shields wrote: > On Wed, May 25, 2011 at 01:26:38AM +0200, olli hauer wrote: >> On 2011-05-25 01:24, Wesley Shields wrote: >>> On Tue, May 24, 2011 at 10:59:52PM +0000, Olli Hauer wrote: >>>> ohauer 2011-05-24 22:59:52 UTC >>>> >>>> FreeBSD ports repository >>>> >>>> Modified files: >>>> security/vuxml vuln.xml >>>> Log: >>>> - use apr-* and add <gt></gt> entries for all apr0/apr1 issues >>>> (<gt> .. is needed else the parser cannot make a difference >>>> between apr0 and apr1) >>>> >>>> - lowercase ViewVC -> viewvc >>>> >>>> Thanks Jun Kuriyama ( kuriyama@ ) for the notice and the patch >>>> for the apr entries. >>> >>> The apr-* stuff broke the build. >>> >>> -- WXS >>> >> >> grrrr, I see the same but only on my 8.2 machines no issues on 7.4. >> >> Do you have a change to verify this (7.4/8.x)? > > I'm not sure what you mean, and it is probably because I was not clear. > The vuxml build is broken. I can't speak for the build of the ports > themselves. > > Sorry for the confusion. > > -- WXS Hm, now I need some one help. I just notice issue with vxquery portaudit parser. If a vuln.xml entry does not match the exact portname it will not detected. For example the entry <package> <name>apr-*</name> <range><ge>1.4.0.1.3.0</ge><lt>1.4.5.1.3.12</lt></range> </package> will be detected by portaudit but vxquery expects in my case <package> <name>apr-ipv6-devrandom-gdbm-db47</name> <range><lt>1.4.5.1.3.12</lt></range> </package> Unfortunately the package name for apr reflects the build options and we can end up with a view hundred different package names. (5 options * possible (bdb|mysql|pgsql|ldap|sqlite) versions) So what's the best way to document the apr issue? This entry is not recognized by portaudit and vxquery. <package> <name>apr1</name> <range><lt>1.4.5.1.3.12</lt></range> </package>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DDC467B.7030305>