Date: Thu, 10 Sep 2015 19:28:34 -0400 (EDT) From: Terry Kennedy <TERRY@tmk.com> To: swills@freebsd.org, sunpoet@freebsd.org, ruby@freebsd.org Subject: vuln.xml r383968 issue with ruby20 port r396436 Message-ID: <01PQLEEZZHAC002KY9@tmk.com>
next in thread | raw e-mail | index | archive | help
[I am sending this directly in the belief that it may be affecting other ruby20 users as well as myself; if you prefer I open a PR in- stead of emailing you directly, just let me know.] I am experiencing some odd behavior with "pkg audit" and the ruby20 port. I had version 2.0.0.645,1 of the port installed and "pkg audit" did not complain about it. However, the port was recently updated to 2.0.0.647,1 and portupgrade refuses to install that version, claiming it is affected by CVE-2015-1855. I have "DEFAULT_VERSIONS+=ruby=2.0" in /etc/make.conf as directed in an UPDATING entry of some time ago. This would seem to be the opposite of the desired effect, as both the vuln.xml cite and the Ruby news here: https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-0-0-p647-released/ claim that 645 is vulnerable and 647 isn't. I tried to see what was going on, in the hope of submitting a patch instead of just reporting the issue, but became mired in the complex- ity of the ruby meta-port, bsd.ruby.mk, etc. Thanks, Terry Kennedy http://www.tmk.com terry@tmk.com New York, NY USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01PQLEEZZHAC002KY9>