From owner-svn-ports-all@freebsd.org  Tue Jan 22 13:35:11 2019
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF513148D9B9;
 Tue, 22 Jan 2019 13:35:11 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com
 [IPv6:2607:f8b0:4864:20::62a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 273588CD14;
 Tue, 22 Jan 2019 13:35:11 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pl1-x62a.google.com with SMTP id e5so11497918plb.5;
 Tue, 22 Jan 2019 05:35:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:reply-to:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=W9HHujC7jlV6qhBSxlUd1Me3CqYO3E80A07hpX16Qtk=;
 b=RMb5kx6nKhL1jZRqiqcssZlrTVE0FOebBq50hQ0G2I9ykdNVzMiNk0xzMEAjpxyfZ/
 eM17s56CXYeVCtLhO7hlK8Z1U3uBDHGcdz95sOYVgVotZGZu641CAqxxPwc7P6NRVVFT
 xmqjTHB15xKX/73pH1LHDfrNdKTfvJDg+SXpxhPH+1cQq4BLhGjeiLX2BS6XHWrz4gCA
 7eoAoYdKl73MYq/jVAG8qt2+JgK9Tv/14agWdYvOeRt4sbJs7ig+R313SfG1V2hMAgR/
 6HlpjhaYg6ikKPezO4i6CTKFIxhJmunPO484HrX4f3sEGcijg4i1x8KfW8IMRKqlp+Jx
 K+ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:reply-to:subject:to:references:from
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=W9HHujC7jlV6qhBSxlUd1Me3CqYO3E80A07hpX16Qtk=;
 b=TfKg9fv+t5/GywUFdLMIkGXWAtXxcEGV7bYdx+wAe3/aMcm2CrOXXL8AG/ABasQCeI
 EKGpfAJKHj907jfae5maN4NlysZstcEzQ8heoGJQafTO9Tl+kXmcGJqgaBLEYDh8UAvq
 iuVnVFtG6RUHGZZ8LwjjEm5/dw4xUPoPFnO0IzlTgKTuWqwFuhMusExKsEIUMMqtNPZt
 Q1lyO5iZciStI0pNR8QpOR/mpdVDGe+SDJbbZ/PFm8fi6IgCLWlYDo4mf4klWyYwcU5J
 e9L2UyhAX+nkycsLtw6iJ9g8yD3TNcEcXLDNNK8uJBchzcrLEtHpYwAmZzOLoL7/tUrW
 9A9w==
X-Gm-Message-State: AJcUukdr80n8/2zANHi3ecKhRx0ij6Z4jdJ/87g30AmDjqt9WkejLFFN
 sASs0XF33n7hZvQz9XSJT0YOMfo4
X-Google-Smtp-Source: ALg8bN6IvwLTGk8VKhbMKLHVEkuzLfU9IleBZ6f/02gddjupeB657TWZ/rFSynwGlKVv3gSqSeLAlQ==
X-Received: by 2002:a17:902:d01:: with SMTP id
 1mr34707291plu.127.1548164109326; 
 Tue, 22 Jan 2019 05:35:09 -0800 (PST)
Received: from [192.168.1.105] (119-18-15-55.cust.aussiebb.net. [119.18.15.55])
 by smtp.gmail.com with ESMTPSA id w185sm22825131pfb.135.2019.01.22.05.35.07
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 22 Jan 2019 05:35:08 -0800 (PST)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: svn commit: r490941 - head/security/vuxml
To: Glen Barber <gjb@FreeBSD.org>, ports-committers@freebsd.org,
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
References: <201901221232.x0MCWIGe082441@repo.freebsd.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
Message-ID: <5317a569-8501-0c9c-6b7f-af34bc09ad7b@FreeBSD.org>
Date: Wed, 23 Jan 2019 00:35:05 +1100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
 Thunderbird/65.0
MIME-Version: 1.0
In-Reply-To: <201901221232.x0MCWIGe082441@repo.freebsd.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 273588CD14
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.96 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.97)[-0.966,0]; TAGGED_FROM(0.00)[]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2019 13:35:11 -0000

On 22/01/2019 11:32 pm, Glen Barber wrote:
> Author: gjb
> Date: Tue Jan 22 12:32:18 2019
> New Revision: 490941
> URL: https://svnweb.freebsd.org/changeset/ports/490941
> 
> Log:
>    Attempt to fix vuxml build.
>    
>    Sponsored by:	The FreeBSD Foundation
> 
> Modified:
>    head/security/vuxml/vuln.xml
> 
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml	Tue Jan 22 12:30:21 2019	(r490940)
> +++ head/security/vuxml/vuln.xml	Tue Jan 22 12:32:18 2019	(r490941)
> @@ -62,7 +62,7 @@ Notes:
>       <topic>www/py-requests -- Information disclosure vulnerability</topic>
>       <affects>
>         <package>
> -	<name>py*-requests</name>
> +	<name>py-requests</name>
>   	<range><lt>2.20.0</lt></range>
>         </package>
>       </affects>
> 

Hi Glen,

This now doesn't match PKGNAME's (pyXY-requests).

What is/was the issue exactly?

It passed make validate and passed the pkg audit tests (see below) 
mentioned in the file, in order to match any python version of the port, 
future or past. This at least means pkg audit understands the globbing 
pattern.

```
Additional tests can be done this way:
  $ pkg audit -f ./vuln.xml py26-django-1.6
  $ pkg audit -f ./vuln.xml py27-django-1.6.1
```

pkg audit -f ./vuln.xml py27-requests-2.19.0
py27-requests-2.19.0 is vulnerable:
www/py-requests -- Information disclosure vulnerability
WWW: 
https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

1 problem(s) in the installed packages found.

pkg audit -f ./vuln.xml py34-requests-2.19.0
py34-requests-2.19.0 is vulnerable:
www/py-requests -- Information disclosure vulnerability
WWW: 
https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

1 problem(s) in the installed packages found.

Note: python34 is now deleted from ports, but should still report 
vulnerable if py34-foo is installed.

pkg audit -f ./vuln.xml py37-requests-2.19.0
py37-requests-2.19.0 is vulnerable:
www/py-requests -- Information disclosure vulnerability
WWW: 
https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

1 problem(s) in the installed packages found.