From owner-svn-ports-all@freebsd.org  Sun Oct  6 05:53:38 2019
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7659112C990;
 Sun,  6 Oct 2019 05:53:38 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46mCTY1yxQz4g5l;
 Sun,  6 Oct 2019 05:53:36 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA
 id GzU4iKYDkIhW9GzU5iNcAb; Sat, 05 Oct 2019 23:53:34 -0600
X-Authority-Analysis: v=2.3 cv=FcFJO626 c=1 sm=1 tr=0
 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17
 a=kj9zAlcOel0A:10 a=XobE76Q3jBoA:10 a=6I5d2MoRAAAA:8 a=PYnjg3YJAAAA:8
 a=sMBj6sIwAAAA:8 a=5089wCahAAAA:8 a=YxBL1-UpAAAA:8 a=GOVuRJXFgmcIZUbZhdUA:9
 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=96-UuAdfYG6OSYlHWuPe:22
 a=tjUNV7USy4TualkcfLLZ:22 a=2Bz7-_TpOoXYCbRQratn:22 a=Ia-lj3WSrqcvXOmTRaiG:22
 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
 by spqr.komquats.com (Postfix) with ESMTPS id AA2801294;
 Sat,  5 Oct 2019 22:53:31 -0700 (PDT)
Received: from slippy.cwsent.com (localhost [127.0.0.1])
 by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id x965rVU1004140;
 Sat, 5 Oct 2019 22:53:31 -0700 (PDT)
 (envelope-from Cy.Schubert@cschubert.com)
Received: from slippy (cy@localhost)
 by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id x965rVQC004137;
 Sat, 5 Oct 2019 22:53:31 -0700 (PDT)
 (envelope-from Cy.Schubert@cschubert.com)
Message-Id: <201910060553.x965rVQC004137@slippy.cwsent.com>
X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tobias Kortkamp <tobik@freebsd.org>
cc: Cy Schubert <cy@freebsd.org>, ports-committers@freebsd.org,
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject: Re: svn commit: r513861 - head/security/vuxml
In-reply-to: <20191006054201.GA62549@urd.tobik.me>
References: <201910060148.x961mok1058065@repo.freebsd.org> 
 <20191006054201.GA62549@urd.tobik.me>
Comments: In-reply-to Tobias Kortkamp <tobik@freebsd.org>
 message dated "Sun, 06 Oct 2019 07:42:01 +0200."
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 05 Oct 2019 22:53:31 -0700
X-CMAE-Envelope: MS4wfHCH4851J1Fny2sRzFZsACftbljfcgMSBe1tj6Ck3EkiKq/jDb9hrVA9X+Vbe/8/+SD02VzGM0kWv4YYQ71kOY+5RRgZC1NMTy2tSLFdUTeUceuhuuEv
 EQWIAd1daTIsTw3InKyo1jLo+ePFMDjEzZCUN+5THMDschIQtZUQH+MQT+bK/iEm+0G5e27c6yif+Sii9HCHz3yl36Uj3NVBCSnEJTqTMbJ7z4gX5T2VcERG
 vJaEhRcRGkmsUnWFWIsUOtOXTde4Dbg1NB2+WWIW+5K7ZG7O7SIfROqLpnpFxTqk+2BdsPr15nH0CKgmx88o8g==
X-Rspamd-Queue-Id: 46mCTY1yxQz4g5l
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none;
 spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF
 policy when checking 64.59.136.137) smtp.mailfrom=cy.schubert@cschubert.com
X-Spamd-Result: default: False [-3.88 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5];
 RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[];
 HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com];
 RCPT_COUNT_FIVE(0.00)[5]; REPLYTO_EQ_FROM(0.00)[];
 IP_SCORE(-2.28)[ip: (-5.85), ipnet: 64.59.128.0/20(-3.07), asn: 6327(-2.39),
 country: CA(-0.09)]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCVD_IN_DNSWL_NONE(0.00)[137.136.59.64.list.dnswl.org : 127.0.5.0];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA];
 RCVD_TLS_LAST(0.00)[];
 RWL_MAILSPIKE_POSSIBLE(0.00)[137.136.59.64.rep.mailspike.net : 127.0.0.17]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Oct 2019 05:53:38 -0000

In message <20191006054201.GA62549@urd.tobik.me>, Tobias Kortkamp writes:
> 
>
> --8t9RHnE3ZwKMSgU+
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> On Sun, Oct 06, 2019 at 01:48:50AM +0000, Cy Schubert wrote:
> > Author: cy
> > Date: Sun Oct  6 01:48:49 2019
> > New Revision: 513861
> > URL: https://svnweb.freebsd.org/changeset/ports/513861
> >=20
> > Log:
> >   Document two new Xpdf vulnerabilities: CVE-2019-16927 and CVE-2019-9877.
> >  =20
> >   PR:		241066
> >   Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-16927
> >   Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-9877
> >   Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-9877
> >   Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-169=
> 27
> >=20
> > Modified:
> >   head/security/vuxml/vuln.xml
> >=20
> > Modified: head/security/vuxml/vuln.xml
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D
> > --- head/security/vuxml/vuln.xml	Sun Oct  6 01:42:14 2019	(r51386
> 0)
> > +++ head/security/vuxml/vuln.xml	Sun Oct  6 01:48:49 2019	(r51386
> 1)
> > @@ -58,6 +58,49 @@ Notes:
> >    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> >  -->
> >  <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">
> > +  <vuln vid=3D"791e8f79-e7d1-11e9-8b31-206a8a720317">
> > +    <topic>Xpdf -- Multiple Vulnerabilities</topic>
> > +    <affects>
> > +      <package>
> > +	<name>xpdf</name>
> > +	<range><lt>4.02</lt></range>
> > +      </package>
> > +      <package>
> > +	<name>xpdf4</name>
> > +	<range><lt>4.02</lt></range>
>
> Hi,
>
> the version range for xpdf4 (and maybe xpdf) is wrong.  graphics/xpdf4
> has PORTEPOCH=3D1, so it should be
>
> 	<range><lt>4.02,1</lt></range>
>
> Otherwise nobody will ever see this entry with pkg audit:
>
> $ pkg audit -f vuln.xml xpdf4-4.01_2,1
> 0 problem(s) in 0 installed package(s) found.
>
>

Thanks, fixed.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org

	The need of the many outweighs the greed of the few.