FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while it isn't ?

Ing. Bretislav Kubesa bretislav.kubesa at gmail.com
Sun Jun 21 19:55:50 UTC 2015 

Hi,
not sure if I can help further, but if I understand correctly, yes - ruby
2.0. is/was default.

*pkg audit* (after forced upgrade)

ruby-2.0.0.645,1 is vulnerable:
Ruby -- OpenSSL Hostname Verification Vulnerability
CVE: CVE-2015-1855
WWW:
https://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html

*pkg info | grep ruby*

ruby-2.0.0.645,1               Object-oriented interpreted scripting
language

*make.conf* - ruby related part :
#
# Keep ruby 2.0 as default version
#
DEFAULT_VERSIONS+=ruby=2.0

Best regards,
Bretislav Kubesa


ne 21. 6. 2015 v 16:54 odesílatel Steve Wills <swills at freebsd.org> napsal:

> Hi,
>
> Did you build your own ports where ruby 2.0 was default? I see the package
> name
> here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml look
> like this:
>
>  3326         <name>ruby20</name>
>  3327         <range><lt>2.0.0.645,1</lt></range>
>
> ...
>
>  3330         <name>ruby</name>
>  3331         <range><lt>2.1.6,1</lt></range>
>
> So I think maybe it's matching the second entry and then looking for a ruby
> version 2.1.6,1 or newer. Not sure what the right solution is for this
> right
> now.
>
> Steve
>
>
> On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. Břetislav Kubesa wrote:
> > Hi,
> >
> > already for longer time while updating to 2.0.0.645,1 version, I'm
> > getting message that it's vulnerable, but I think it's not the case as
> > vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <= 2.0.0.645,1).
> > However I'm not sure where to report it for checking, so I hope it's the
> > right place here.
> >
> > Thank you.
> >
> >
> > --->  Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20)
> > --->  Building '/usr/ports/lang/ruby20'
> > ===>  Cleaning for ruby-2.0.0.645,1
> > ===>  ruby-2.0.0.645,1 has known vulnerabilities:
> > ruby-2.0.0.645,1 is vulnerable:
> > Ruby -- OpenSSL Hostname Verification Vulnerability
> > CVE: CVE-2015-1855
> > WWW:
> >
> http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html
> >
> > Best regards,
> > Bretislav Kubesa
> > _______________________________________________
> > freebsd-ports at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> > To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>

More information about the freebsd-ports mailing list