cvs commit: ports/security/vuxml vuln.xml

Simon L. Nielsen simon at
Tue Jul 24 22:43:13 UTC 2007

On 2007.07.25 06:30:31 +0800, Xin LI wrote:
> Simon L. Nielsen wrote:
>> On 2007.07.24 14:17:07 +0000, Xin LI wrote:
>>> delphij     2007-07-24 14:17:07 UTC
>>>   FreeBSD ports repository
>>>   Modified files:
>>>     security/vuxml       vuln.xml   Log:
>>>   The previous vuxml entry applies to jakarta-tomcat 4.0.x as well, so 
>>> mark
>>>   it as affected as well.  Since there is no newer release I have used 
>>> 4.1.0
>>>   as the "fixed" version.
>> Has it actually been fixed in 4.1.0?  If not you should just not set a
>> top version to avoid a new release which actually doesn't fix the
>> issue being marked secure.
> No.  The version is chosen because that 4.1.0 is greater than the possible 
> version (the port itself is 4.0.x).  Should there be a better way to 
> represent it, please feel free to commit a fix, thanks!

I just checked - and from
reading that the fixes should be in 4.1.36 (even if that isn't in
ports), does that seem correct?  I never used tomcat so I don't know
if there I'm missing something.  If it is fixed in upstream 4.1.36 it
would be fine just to mark the vulnerability as fixed in 4.1.36, even
if that isn't in ports yet.

Simon L. Nielsen

More information about the cvs-ports mailing list