Date: Mon, 21 Jul 2014 14:07:11 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Florian Smeets <flo@FreeBSD.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r362109 - head/net/php53-xmlrpc/files Message-ID: <86silunceo.fsf@nine.des.no> In-Reply-To: <201407162036.s6GKaE7H094339@svn.freebsd.org> (Florian Smeets's message of "Wed, 16 Jul 2014 20:36:14 %2B0000 (UTC)") References: <201407162036.s6GKaE7H094339@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Florian Smeets <flo@FreeBSD.org> writes: > Author: flo > Date: Wed Jul 16 20:36:14 2014 > New Revision: 362109 > URL: http://svnweb.freebsd.org/changeset/ports/362109 > QAT: https://qat.redports.org/buildarchive/r362109/ > > Log: > Merge a patch from lang/php5 to fix build breakage. >=20=20=20 > Requested by: George L. Yermulnik <yz@yz.kiev.ua> https://wiki.freebsd.org/Ports/CPE This port has CPE data. In the (currently highly hypothetical) scenario where someone runs an audit tool to check their installed packages against the NVE XML feed, and a CVE is issued for this bug, they will get a false positive because the CPE string does not reflect the presence of this patch. The best way around it is probably to set CPE_OTHER=3D${PORTREVISION} so we can report to MITRE / NIST that cpe:/a:php:php:5.3.28::~~~freebsd~~3 (or, in CPE 2.3 notation, cpe:2.3:a:php:php:5.3.28:::::freebsd::3) is not vulnerable. Not your fault, but food for thought. BTW, you should have added a vuxml entry for this, or asked ports-secteam to do it for you. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86silunceo.fsf>