Date: Wed, 5 Sep 2007 11:30:07 GMT From: Remko Lodder <remko@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/116115: Bug in portaudit: it does not handle packagenames with , Message-ID: <200709051130.l85BU7re063740@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/116115; it has been noted by GNATS. From: Remko Lodder <remko@FreeBSD.org> To: Klavs Klavsen <klavs@EnableIT.dk> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/116115: Bug in portaudit: it does not handle packagenames with , Date: Wed, 05 Sep 2007 13:26:24 +0200 Klavs Klavsen wrote: >> Number: 116115 >> Category: misc >> Synopsis: Bug in portaudit: it does not handle packagenames with , >> Confidential: no >> Severity: critical >> Priority: high >> Responsible: freebsd-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Wed Sep 05 10:20:01 GMT 2007 >> Closed-Date: >> Last-Modified: >> Originator: Klavs Klavsen >> Release: FreeBSD-6.2 >> Organization: > EnableIT >> Environment: > FreeBSD tomcat5-ny.telmore.dk 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 > >> Description: > Hi guys, > > I was just testing portaudit on FreeBSD 6.2. > > I have mod_jk-1.2.19,1 installed. > > a portaudit -Fda does not show it's vulnerable to anything. > > However - it really is, and it's in the vulndb as well. > > If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a) > says it's vulnerable. > > So the conclusion is that portaudit's "version number" matching doesn't > seem to handle ,'s all that well. >> How-To-Repeat: > rename mod_jk to mod_jk-1.2.19,1 and see it NOT work. >> Fix: > > Actually you are incorrect strictly seen. You are correct that there is a problem though :-). Portaudit handles the ,\d perfectly, though PORTEPOCH (as the ,\d is called) makes version handling very different. If a port has PORTEPOCH, this always is 'newer' then any other version available. This is to make sure we can rollback from newer version. I fixed this in the vuxml document seconds ago. Thanks for noting this! Cheers remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709051130.l85BU7re063740>