ports/103313: portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming

[Simon L. Nielsen]

On 2006.09.17 01:45:10 +0700, Vadim Goncharov wrote:
> 17.09.06 @ 00:26 Greg Lewis wrote:
> 
> >Synopsis: portaudit reports bogus java/diablo-jdk15 vulnerabity due to  
> >incorrect pkg naming
> >
> >State-Changed-From-To: open->closed
> >State-Changed-By: glewis
> >State-Changed-When: Sat Sep 16 17:26:05 UTC 2006
> >State-Changed-Why:
> >This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131).
> >
> >http://www.freebsd.org/cgi/query-pr.cgi?pr=103313
> 
> That's VERY BAD method of fixing things. Package names should be changed,  

No it's not.  While it sucks we have to add such workarounds to the
VuXML document there really isn't any other way to do it, and it isn't
the first time we have to do it.  The package with the bad name it out
there and being flagged as vulnerable when it isn't.

Yes, the package name should be fixed, but that doesn't change that
the workaround is needed for people who already have it installed.

Greg Lewis has already said that he's going to look at getting the
package name fixed for the next release.

> not vuln.xml! As cause of illness should always be cured, not the  
> symptoms. And, after all, even that fix was partial: it fixed only jdk on  
> fbsd 6 - my fbsd 5 IS STILL "vulnerable". And this is only jdk, but we  
> have the same problem with jre. And not only for i386, but for amd64 also  
> - 6 packages total, not 1.

Ah, yes those should also be handled.  Both remko@ and I missed that
when looking at fixing this.  I will look at handling those packages
also as soon as possible.

-- 
Simon L. Nielsen
FreeBSD Deputy Security Officer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20060917/f5123e0e/attachment.pgp