Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Sep 2018 10:24:36 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        freebsd-security@freebsd.org, FreeBSD Ports <ports@freebsd.org>
Subject:   fix for vuln.xml / committer needed
Message-ID:  <aa920612-4547-6931-5c6e-68c7235a3f2b@quip.cz>
In-Reply-To: <9787dd02-177c-e5cf-0368-10cf8aca2e6f@quip.cz>
References:  <b3a70fdc-e072-50be-634d-c193f776243c@quip.cz> <9787dd02-177c-e5cf-0368-10cf8aca2e6f@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
Can somebody commit this easy fix, please?
It is annoying to get false alarms every day in daily security reports.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231054

Kind Regards
Miroslav Lachman

Miroslav Lachman wrote on 2018/08/31 12:24:
> Miroslav Lachman wrote on 2018/08/28 00:20:
>> Running pkg audit FreeBSD-10.4_11 gives me one vulnerability:
>>
>> # pkg audit FreeBSD-10.4_11
>> FreeBSD-10.4_11 is vulnerable:
>> wpa_supplicant -- unauthenticated encrypted EAPOL-Key data
>> CVE: CVE-2018-14526
>> WWW: 
>> https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html 
>>
>>
>> 1 problem(s) in the installed packages found.
>>
>> But information on the page shows it was fixed in 10.4-p10:
>>
>> Affected packages
>> wpa_supplicant     <     2.6_2
>> FreeBSD     <=     10.4_10
>> FreeBSD     <=     11.2_1
>>
>> So... was it really fixed? Is there incorrect info in VuXML database 
>> file or on the web page?
> 
> As noted privately by Dan Lukes, there is wrong entry in vuln.xml - 
> missing < 10.4 and < 11.2 (start of the range)
> 
> --- vuln.xml.orig     2018-08-30 03:02:57.656941000 +0200
> +++ vuln.xml          2018-08-31 12:13:53.564345000 +0200
> @@ -525,8 +525,8 @@
>         </package>
>         <package>
>          <name>FreeBSD</name>
> -       <range><le>10.4_10</le></range>
> -       <range><le>11.2_1</le></range>
> +       <range><ge>10.4</ge><le>10.4_10</le></range>
> +       <range><ge>11.2</ge><le>11.2_1</le></range>
>         </package>
>       </affects>
>       <description>
> 
> See PR 231054.
> 
> Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aa920612-4547-6931-5c6e-68c7235a3f2b>