cvs commit: ports/security/vuxml vuln.xml
Simon L. Nielsen
simon at FreeBSD.org
Tue Jul 24 22:43:13 UTC 2007
On 2007.07.25 06:30:31 +0800, Xin LI wrote:
> Simon L. Nielsen wrote:
>> On 2007.07.24 14:17:07 +0000, Xin LI wrote:
>>> delphij 2007-07-24 14:17:07 UTC
>>>
>>> FreeBSD ports repository
>>>
>>> Modified files:
>>> security/vuxml vuln.xml Log:
>>> The previous vuxml entry applies to jakarta-tomcat 4.0.x as well, so
>>> mark
>>> it as affected as well. Since there is no newer release I have used
>>> 4.1.0
>>> as the "fixed" version.
>> Has it actually been fixed in 4.1.0? If not you should just not set a
>> top version to avoid a new release which actually doesn't fix the
>> issue being marked secure.
>
> No. The version is chosen because that 4.1.0 is greater than the possible
> version (the port itself is 4.0.x). Should there be a better way to
> represent it, please feel free to commit a fix, thanks!
I just checked http://tomcat.apache.org/security-4.html - and from
reading that the fixes should be in 4.1.36 (even if that isn't in
ports), does that seem correct? I never used tomcat so I don't know
if there I'm missing something. If it is fixed in upstream 4.1.36 it
would be fine just to mark the vulnerability as fixed in 4.1.36, even
if that isn't in ports yet.
--
Simon L. Nielsen
More information about the cvs-ports
mailing list