Date: Sat, 3 Aug 2024 14:59:13 +1000 From: Robert Backhaus <robbak@gmail.com> To: Freebsd_mailinglist_PORTS <freebsd-ports@freebsd.org> Subject: Error in vulnerability database, causing mysql80-server to be marked vulnerable. Message-ID: <CABG_4j=TdfY=fnzdfpj%2B088HqP3cjZPQt0YA2j9Z9wsBXs%2BdEA@mail.gmail.com> In-Reply-To: <CABG_4jm6ianQCv63YeaJ-_Tq%2Bgx9m_KjV9nDyP%2Btg6TOXue5aw@mail.gmail.com> References: <CABG_4jm6ianQCv63YeaJ-_Tq%2Bgx9m_KjV9nDyP%2Btg6TOXue5aw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have sent this message to ports-secteam@, but I have not received a
response, and the error hasn't been fixed. There is an error in
vuln/2024.xml, resulting in databases/mysql80-server being incorrectly
marked vulnerable. It also may be leading to databases/mysql81-server
before version 8.1.1 not being marked vulnerable as they should be.
The error is to be with ID 3b018063-4358-11ef-b611-84a93843eb75. The
entry for mysql81-server has been incorrectly entered as
mysql80-server - leading to mysql80-server being marked vulnerable
because the version will always be less than version 8.1.1.
It also leaves the record with duplicate mysql80-server entries, which
could also cause issues.
Required patch -
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index cdd182d0423f..05c3bd25a415 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -273,7 +273,7 @@
<range><lt>8.1.1</lt></range>
</package>
<package>
- <name>mysql80-server</name>
+ <name>mysql81-server</name>
<range><lt>8.1.1</lt></range>
</package>
<package>
See https://www.vuxml.org/freebsd/3b018063-4358-11ef-b611-84a93843eb75.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABG_4j=TdfY=fnzdfpj%2B088HqP3cjZPQt0YA2j9Z9wsBXs%2BdEA>