cvs commit: ports/security/vuxml vuln.xml
Olli Hauer
ohauer at FreeBSD.org
Tue May 24 23:59:59 UTC 2011
On 2011-05-25 01:36, Wesley Shields wrote:
> On Wed, May 25, 2011 at 01:26:38AM +0200, olli hauer wrote:
>> On 2011-05-25 01:24, Wesley Shields wrote:
>>> On Tue, May 24, 2011 at 10:59:52PM +0000, Olli Hauer wrote:
>>>> ohauer 2011-05-24 22:59:52 UTC
>>>>
>>>> FreeBSD ports repository
>>>>
>>>> Modified files:
>>>> security/vuxml vuln.xml
>>>> Log:
>>>> - use apr-* and add <gt></gt> entries for all apr0/apr1 issues
>>>> (<gt> .. is needed else the parser cannot make a difference
>>>> between apr0 and apr1)
>>>>
>>>> - lowercase ViewVC -> viewvc
>>>>
>>>> Thanks Jun Kuriyama ( kuriyama@ ) for the notice and the patch
>>>> for the apr entries.
>>>
>>> The apr-* stuff broke the build.
>>>
>>> -- WXS
>>>
>>
>> grrrr, I see the same but only on my 8.2 machines no issues on 7.4.
>>
>> Do you have a change to verify this (7.4/8.x)?
>
> I'm not sure what you mean, and it is probably because I was not clear.
> The vuxml build is broken. I can't speak for the build of the ports
> themselves.
>
> Sorry for the confusion.
>
> -- WXS
Hm, now I need some one help.
I just notice issue with vxquery portaudit parser.
If a vuln.xml entry does not match the exact portname it will not detected.
For example the entry
<package>
<name>apr-*</name>
<range><ge>1.4.0.1.3.0</ge><lt>1.4.5.1.3.12</lt></range>
</package>
will be detected by portaudit but vxquery expects in my case
<package>
<name>apr-ipv6-devrandom-gdbm-db47</name>
<range><lt>1.4.5.1.3.12</lt></range>
</package>
Unfortunately the package name for apr reflects the build options
and we can end up with a view hundred different package names.
(5 options * possible (bdb|mysql|pgsql|ldap|sqlite) versions)
So what's the best way to document the apr issue?
This entry is not recognized by portaudit and vxquery.
<package>
<name>apr1</name>
<range><lt>1.4.5.1.3.12</lt></range>
</package>
More information about the cvs-ports
mailing list