From owner-freebsd-ports-bugs@freebsd.org  Wed Sep 23 18:34:41 2015
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A8BAA0639C
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Wed, 23 Sep 2015 18:34:41 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EBB301AC6
 for <freebsd-ports-bugs@FreeBSD.org>; Wed, 23 Sep 2015 18:34:40 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t8NIYeEN079019
 for <freebsd-ports-bugs@FreeBSD.org>; Wed, 23 Sep 2015 18:34:40 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 203227] vuln.xml incorrectly flagging ruby20 as insecure
Date: Wed, 23 Sep 2015 18:34:41 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Ports Framework
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: terry@tmk.com
X-Bugzilla-Status: Open
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-203227-13-LPAGb93jv6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-203227-13@https.bugs.freebsd.org/bugzilla/>
References: <bug-203227-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 18:34:41 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203227

--- Comment #16 from terry@tmk.com ---
(In reply to Mark Felder from comment #15)

Yes, that seems to fix it. I also tested changing the affected version from
2.0.0.645,1 to 2.0.0.648,1 and that correctly flagged my 2.0.0.647,1 install as
vulnerable.

So, it seem good to go here. My only comment would be to perhaps change:

      <package>
        <name>ruby</name>
        <range><ge>2.1,1</ge><lt>2.1.6,1</lt></range>
      </package>

to:

      <package>
        <name>ruby</name>
        <name>ruby21</name>
        <range><ge>2.1,1</ge><lt>2.1.6,1</lt></range>
      </package>

so that this doesn't pop up again if the default Ruby version is changed to 2.2
at some future time.

Thanks!

-- 
You are receiving this mail because:
You are on the CC list for the bug.