Date: Thu, 17 Nov 2022 13:38:47 -0500 From: Garrett Wollman <wollman@freebsd.org> To: freebsd-security@freebsd.org Subject: vuxml entry error for krb5 Message-ID: <25462.32695.665376.679464@hergotha.csail.mit.edu>
next in thread | raw e-mail | index | archive | help
Not sure who to address this to, so hopefully someone more knowledgeable about vuxml can explain what needs to be fixed here. https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html gives incorrect "affected packages" for the main `krb5` package: it claims that all versions < 1.20_1 are affected, but in fact the vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR x < 1.19. This means that if you have KRB5_VERSION=119 set in make.conf, you will get packages that are *not* vulnerable, but `pkg audit` will claim that they are. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25462.32695.665376.679464>