From owner-freebsd-ruby@freebsd.org Fri Sep 11 00:01:41 2015 Return-Path: Delivered-To: freebsd-ruby@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5E6BA02CBA for ; Fri, 11 Sep 2015 00:01:41 +0000 (UTC) (envelope-from TERRY@tmk.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id B4B2D1258 for ; Fri, 11 Sep 2015 00:01:41 +0000 (UTC) (envelope-from TERRY@tmk.com) Received: by mailman.ysv.freebsd.org (Postfix) id B451FA02CB9; Fri, 11 Sep 2015 00:01:41 +0000 (UTC) Delivered-To: ruby@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3F7EA02CB8 for ; Fri, 11 Sep 2015 00:01:41 +0000 (UTC) (envelope-from TERRY@tmk.com) Received: from server.tmk.com (server.tmk.com [204.141.35.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 852EB1257; Fri, 11 Sep 2015 00:01:40 +0000 (UTC) (envelope-from TERRY@tmk.com) Received: from tmk.com by tmk.com (PMDF V6.6 #37010) id <01PQLDSJ6W68002KY9@tmk.com>; Thu, 10 Sep 2015 19:45:20 -0400 (EDT) Date: Thu, 10 Sep 2015 19:28:34 -0400 (EDT) From: Terry Kennedy Subject: vuln.xml r383968 issue with ruby20 port r396436 To: swills@freebsd.org, sunpoet@freebsd.org, ruby@freebsd.org Message-id: <01PQLEEZZHAC002KY9@tmk.com> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=us-ascii X-BeenThere: freebsd-ruby@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FreeBSD-specific Ruby discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 00:01:41 -0000 [I am sending this directly in the belief that it may be affecting other ruby20 users as well as myself; if you prefer I open a PR in- stead of emailing you directly, just let me know.] I am experiencing some odd behavior with "pkg audit" and the ruby20 port. I had version 2.0.0.645,1 of the port installed and "pkg audit" did not complain about it. However, the port was recently updated to 2.0.0.647,1 and portupgrade refuses to install that version, claiming it is affected by CVE-2015-1855. I have "DEFAULT_VERSIONS+=ruby=2.0" in /etc/make.conf as directed in an UPDATING entry of some time ago. This would seem to be the opposite of the desired effect, as both the vuln.xml cite and the Ruby news here: https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-0-0-p647-released/ claim that 645 is vulnerable and 647 isn't. I tried to see what was going on, in the hope of submitting a patch instead of just reporting the issue, but became mired in the complex- ity of the ruby meta-port, bsd.ruby.mk, etc. Thanks, Terry Kennedy http://www.tmk.com terry@tmk.com New York, NY USA