From owner-cvs-ports@FreeBSD.ORG Tue Jul 24 22:43:13 2007 Return-Path: Delivered-To: cvs-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D54D516A418; Tue, 24 Jul 2007 22:43:13 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 8E0AA13C461; Tue, 24 Jul 2007 22:43:13 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from benji.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id B96842DE28C; Tue, 24 Jul 2007 22:43:12 +0000 (UTC) Received: by benji.nitro.dk (Postfix, from userid 2000) id 57106FD9F; Wed, 25 Jul 2007 00:43:30 +0200 (CEST) Date: Wed, 25 Jul 2007 00:43:30 +0200 From: "Simon L. Nielsen" To: Xin LI Message-ID: <20070724224329.GE1003@zaphod.nitro.dk> References: <200707241417.l6OEH7oG049577@repoman.freebsd.org> <20070724222656.GD1003@zaphod.nitro.dk> <46A67D87.7090108@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46A67D87.7090108@delphij.net> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: cvs-ports@FreeBSD.ORG, Xin LI , cvs-all@FreeBSD.ORG, ports-committers@FreeBSD.ORG Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 22:43:13 -0000 On 2007.07.25 06:30:31 +0800, Xin LI wrote: > Simon L. Nielsen wrote: >> On 2007.07.24 14:17:07 +0000, Xin LI wrote: >>> delphij 2007-07-24 14:17:07 UTC >>> >>> FreeBSD ports repository >>> >>> Modified files: >>> security/vuxml vuln.xml Log: >>> The previous vuxml entry applies to jakarta-tomcat 4.0.x as well, so >>> mark >>> it as affected as well. Since there is no newer release I have used >>> 4.1.0 >>> as the "fixed" version. >> Has it actually been fixed in 4.1.0? If not you should just not set a >> top version to avoid a new release which actually doesn't fix the >> issue being marked secure. > > No. The version is chosen because that 4.1.0 is greater than the possible > version (the port itself is 4.0.x). Should there be a better way to > represent it, please feel free to commit a fix, thanks! I just checked http://tomcat.apache.org/security-4.html - and from reading that the fixes should be in 4.1.36 (even if that isn't in ports), does that seem correct? I never used tomcat so I don't know if there I'm missing something. If it is fixed in upstream 4.1.36 it would be fine just to mark the vulnerability as fixed in 4.1.36, even if that isn't in ports yet. -- Simon L. Nielsen