[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 01 Jun 2025 06:02:25 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286455

--- Comment #8 from ax61@disroot.org ---
(In reply to Fernando Apesteguía from comment #7)
Since opening of this PR, I have been trying to understand seemingly not taking
the major version into account. From the attached JSON output ...

"pkg_count": 1,
    "packages": {
        "librewolf": {
            "version": "137.0.2",
            "issue_count": 6,
            "issues": [
                {
                    "Affected versions": [
                        "< 136.0,2"
                    ],
                    "description": "mozilla -- memory corruption",
                    "cve": [
                        "CVE-2025-1934",
                        "CVE-2025-1935",
                        "CVE-2025-1938"
                    ],
                    "url":
"https://vuxml.FreeBSD.org/freebsd/b31a4e74-109d-11f0-8195-b42e991fc52e.html"
                },
...


Version of "librewolf" is "137.0.2"; affected versions are those less than
"136.0,2". So, does the commit imply that PORTECHO causes more weight to be
given to PORTEPOCH, overriding "simple" comparison of major versions?

-- 
You are receiving this mail because:
You are on the CC list for the bug.