git: 7296fd2fe2b0 - main - security/vuxml: clean up sqlite3 version range mess

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Fri, 01 Aug 2025 09:43:47 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7296fd2fe2b0415f31fe4b843f05b942ae8f9819

commit 7296fd2fe2b0415f31fe4b843f05b942ae8f9819
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-08-01 09:41:36 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-08-01 09:41:36 +0000

    security/vuxml: clean up sqlite3 version range mess
    
    Several sqlite3 entries mentioned wrong version ranges
    with respect to PORTEPOCH and/or forgot the linux-*-sqlite
    or, more recently, linux_base port.
    
    While auditing this, I saw several implausible tags that used <gt>
    (greater-than) in ranges where I believe that <ge> (greater-or-equal)
    would be more adequate.
    
    Add relevant reminders to vuxml's Makefile.
    
    Fix up sqlite3's 2025 entries.
    
    linux_base-rl9 currently ships 3.34.1-7.el9_3, see
    emulators/linux_base-rl9/Makefile.version - I don't know if that's
    vulnerable or was patched inside Rocky Linux, but let's err on the safe side.
    I'll leave it up to emulation@ to clean up this particular entry.
---
 security/vuxml/Makefile      | 12 ++++++++++++
 security/vuxml/vuln/2024.xml |  7 ++++---
 security/vuxml/vuln/2025.xml | 14 +++++++++++++-
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index 56af61aba418..9a3ef8b7a291 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -83,6 +83,10 @@ validate: tidy
 		return 1; \
 	fi
 	${PYTHON_CMD} ${FILESDIR}/extra-validation.py ${VUXML_FLAT_FILE}
+	@${ECHO_CMD}
+	@${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!'
+	@${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.'
+	@${ECHO_CMD}
 
 tidy: ${VUXML_FLAT_NAME}
 	@if [ ! -e ${LOCALBASE}/share/xml/dtd/vuxml/catalog.xml ]; \
@@ -93,7 +97,15 @@ tidy: ${VUXML_FLAT_NAME}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
 newentry:
+	@${ECHO_CMD}
+	@${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!'
+	@${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.'
+	@${ECHO_CMD}
 	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
+	@${ECHO_CMD}
+	@${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!'
+	@${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.'
+	@${ECHO_CMD}
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index c824f0b19868..64f19bfb38aa 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -3668,15 +3668,15 @@
     <affects>
       <package>
 	<name>sqlite3</name>
-	<range><ge>3.43.0</ge><lt>3.43.2,1</lt></range>
+	<range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
       </package>
       <package>
 	<name>linux-rl9-sqlite</name>
-	<range><ge>3.43.0</ge><lt>3.43.2</lt></range>
+	<range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
       </package>
       <package>
 	<name>linux-c7-sqlite</name>
-	<range><ge>3.43.0</ge><lt>3.43.2</lt></range>
+	<range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
       </package>
     </affects>
     <description>
@@ -3698,6 +3698,7 @@
     <dates>
       <discovery>2024-01-16</discovery>
       <entry>2024-09-29</entry>
+      <modified>2025-08-01</modified>
     </dates>
   </vuln>
 
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index b8d669821d8b..8f68010d3ba5 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -3,8 +3,10 @@
     <affects>
       <package>
 	<name>sqlite3</name>
-	<range><gt>3.39.2</gt><lt>3.41.1</lt></range>
+	<range><ge>3.39.2,1</ge><lt>3.41.2,1</lt></range>
       </package>
+      <!-- as of 2025-08-01, sqlite in -c7 is 3.7.17 and matched by the <3.50.2 below,
+	   and -rl9 aka linux_base ships 3.34.1 which is outside this range. -->
     </affects>
     <description>
 	<body xmlns="http://www.w3.org/1999/xhtml">
@@ -26,6 +28,7 @@
     <dates>
       <discovery>2025-07-29</discovery>
       <entry>2025-07-31</entry>
+      <modified>2025-08-01</modified>
     </dates>
   </vuln>
 
@@ -959,8 +962,16 @@
     <affects>
       <package>
 	<name>sqlite3</name>
+	<range><lt>3.50.2,1</lt></range>
+      </package>
+      <package>
+	<name>linux-c7-sqlite</name>
 	<range><lt>3.50.2</lt></range>
       </package>
+      <package>
+	<name>linux_base</name>
+	<range><ge>0</ge></range>
+      </package>
     </affects>
     <description>
 	<body xmlns="http://www.w3.org/1999/xhtml">
@@ -980,6 +991,7 @@
     <dates>
       <discovery>2025-07-15</discovery>
       <entry>2025-07-23</entry>
+      <modified>2025-08-01</modified>
     </dates>
   </vuln>