ports/154911: bogus linux-jdk entry in vuln.xml?
Matthias Andree
mandree at FreeBSD.org
Sun Feb 20 15:50:09 UTC 2011
>Number: 154911
>Category: ports
>Synopsis: bogus linux-jdk entry in vuln.xml?
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 20 15:50:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 8.2-PRERELEASE amd64
>Organization:
FreeBSD
>Environment:
System: FreeBSD apollo.emma.line.org 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #61: Tue
Feb 15 23:03:47 CET 2011 root at apollo.emma.line.org:/usr/obj/usr/src/sys/GENERIC
amd64
>Description:
Greetings,
vuln.xml as of revision 1.633 (Sat Apr 16 22:35:09 2005 UTC) committed by
remko and approved by simon, contains these lines in the
vid="18e5428f-ae7c-11d9-837d-000e0c2e438a" section - sorry rewriting to
pseudo-lisp syntax to avoid send-pr comment stripping:
(vuln vid="..." (topic)(affects (package (name linux-jdk)(range >= 0))))
Apparently this blocks linux-sun-jdk-1.6.0.24 upgrades in ports.
Could someone check this entry for me so that we can upgrade linux-sun-jdk
without forcing DISABLE_VULNERABILITIES?
Thanks.
I also wonder what the general policy WRT PKGNAMEPREFIX vs. PORTNAME is
for the vulnerability checking.
Error received from how-to-repeat section (apparently bogus):
===> linux-sun-jdk-1.6.0.24 has known vulnerabilities:
=> jdk -- jar directory traversal vulnerability.
Reference: http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html
>How-To-Repeat:
cd /usr/ports/java/linux-sun-jdk16 && make
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list