ports/154911: bogus linux-jdk entry in vuln.xml?
Matthias Andree
mandree at FreeBSD.org
Sun Feb 20 18:30:14 UTC 2011
The following reply was made to PR ports/154911; it has been noted by GNATS.
From: "Matthias Andree" <mandree at FreeBSD.org>
To: "Remko Lodder" <remko at FreeBSD.org>, freebsd-gnats-submit at FreeBSD.org
Cc: "Matthias Andree" <mandree at FreeBSD.org>,
"Simon Nielsen" <simon at FreeBSD.org>, ports-security at FreeBSD.org
Subject: Re: ports/154911: bogus linux-jdk entry in vuln.xml?
Date: Sun, 20 Feb 2011 19:27:41 +0100
Remko Lodder, 2011-02-20:
> The entry has this:
>
> 41915 <package>
> 41916 <name>linux-sun-jdk</name>
> 41917 <range><le>1.4.2.08_1</le></range>
> 41918 <range><ge>1.5.*</ge><le>1.5.2.02,2</le></range>
> 41919 </package>
>
> so it shouldnt block your upgrade.
>
> The PKGNAME is:
>
> linux-sun-jdk-1.6.0.24
>
> Which is used to do the matching (linux-sun-jdk being the PKG and 1.6.0.24
> being the VERSION).
>
> That said; i dont know why this blocks..
I do now, after hacking vxquery to print matched name + range.
Read line 41918 again, very closely, and pay attention to PORTEPOCH -
basically line 41918 marks all versions with PORTEPOCH 0 and 1 vulnerable,
and all with PORTEPOCH 2 and a version <= 1.5.2.02,2. Oops.
Bottom line: affects elements need to have one line per PORTEPOCH affected
if there are mulitple package versions in parallel, such as
linux-sun-jdk15 and linux-sun-jdk16.
Also note that there should be no versions containing ".*" anywhere
because we use version comparison, not globbing.
--
Matthias Andree
More information about the freebsd-ports-bugs
mailing list