Re: git: e021f7c2c5cb - main - security/vuxml: document tomcat vulnerabilities
Date: Mon, 14 Jul 2025 17:13:27 UTC
Michael Osipov <michaelo@FreeBSD.org> writes:
> On 2025-07-10 23:25, Sergey A. Osokin wrote:
>
>> The branch main has been updated by osa:
>> URL:
>> https://cgit.FreeBSD.org/ports/commit/?id=e021f7c2c5cb428f54e3590d8889ce6fec957163
>> commit e021f7c2c5cb428f54e3590d8889ce6fec957163
>> Author: Sergey A. Osokin <osa@FreeBSD.org>
>> AuthorDate: 2025-07-10 21:24:29 +0000
>> Commit: Sergey A. Osokin <osa@FreeBSD.org>
>> CommitDate: 2025-07-10 21:24:29 +0000
>> security/vuxml: document tomcat vulnerabilities
>
> Something seems off here:
>> # pkg audit -F
>> vulnxml file up-to-date
>> ...
>> tomcat9-9.0.107 is vulnerable:
>> Apache Tomcat -- Multiple Vulnerabilities
>> CVE: CVE-2025-53506
>> CVE: CVE-2025-52520
>> CVE: CVE-2025-52434
>> WWW: https://vuxml.FreeBSD.org/freebsd/ef87346f-5dd0-11f0-beb2-ac5afc632ba3.html
>> ...
>
> All of them are addressed in 9.0.107:
> https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
>
> My fault? I build with poudriere and then distribute.
Likely a bug in <range> usage.
$ cd security/vuxml
$ make install
$ make validate
$ pkg audit -f vuln-flat.xml tomcat101-999999
tomcat101-999999 is vulnerable:
Apache Tomcat -- Multiple Vulnerabilities
CVE: CVE-2025-53506
CVE: CVE-2025-52520
CVE: CVE-2025-52434
WWW: https://vuxml.FreeBSD.org/freebsd/ef87346f-5dd0-11f0-beb2-ac5afc632ba3.html
1 problem(s) in 1 installed package(s) found.
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 3df49be5c53d..37b49884ae46 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -240,18 +240,15 @@
<affects>
<package>
<name>tomcat110</name>
- <range><gt>11.0.0</gt></range>
- <range><lt>11.0.9</lt></range>
+ <range><ge>11.0.0</ge><lt>11.0.9</lt></range>
</package>
<package>
<name>tomcat101</name>
- <range><gt>10.1.0</gt></range>
- <range><lt>10.1.43</lt></range>
+ <range><ge>10.1.0</ge><lt>10.1.43</lt></range>
</package>
<package>
<name>tomcat9</name>
- <range><gt>9.0.0</gt></range>
- <range><lt>9.0.107</lt></range>
+ <range><ge>9.0.0</ge><lt>9.0.107</lt></range>
</package>
</affects>
<description>