Date: Wed, 23 Jan 2019 00:35:05 +1100 From: Kubilay Kocak <koobs@FreeBSD.org> To: Glen Barber <gjb@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r490941 - head/security/vuxml Message-ID: <5317a569-8501-0c9c-6b7f-af34bc09ad7b@FreeBSD.org> In-Reply-To: <201901221232.x0MCWIGe082441@repo.freebsd.org> References: <201901221232.x0MCWIGe082441@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22/01/2019 11:32 pm, Glen Barber wrote: > Author: gjb > Date: Tue Jan 22 12:32:18 2019 > New Revision: 490941 > URL: https://svnweb.freebsd.org/changeset/ports/490941 > > Log: > Attempt to fix vuxml build. > > Sponsored by: The FreeBSD Foundation > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Tue Jan 22 12:30:21 2019 (r490940) > +++ head/security/vuxml/vuln.xml Tue Jan 22 12:32:18 2019 (r490941) > @@ -62,7 +62,7 @@ Notes: > <topic>www/py-requests -- Information disclosure vulnerability</topic> > <affects> > <package> > - <name>py*-requests</name> > + <name>py-requests</name> > <range><lt>2.20.0</lt></range> > </package> > </affects> > Hi Glen, This now doesn't match PKGNAME's (pyXY-requests). What is/was the issue exactly? It passed make validate and passed the pkg audit tests (see below) mentioned in the file, in order to match any python version of the port, future or past. This at least means pkg audit understands the globbing pattern. ``` Additional tests can be done this way: $ pkg audit -f ./vuln.xml py26-django-1.6 $ pkg audit -f ./vuln.xml py27-django-1.6.1 ``` pkg audit -f ./vuln.xml py27-requests-2.19.0 py27-requests-2.19.0 is vulnerable: www/py-requests -- Information disclosure vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html 1 problem(s) in the installed packages found. pkg audit -f ./vuln.xml py34-requests-2.19.0 py34-requests-2.19.0 is vulnerable: www/py-requests -- Information disclosure vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html 1 problem(s) in the installed packages found. Note: python34 is now deleted from ports, but should still report vulnerable if py34-foo is installed. pkg audit -f ./vuln.xml py37-requests-2.19.0 py37-requests-2.19.0 is vulnerable: www/py-requests -- Information disclosure vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html 1 problem(s) in the installed packages found.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5317a569-8501-0c9c-6b7f-af34bc09ad7b>