ruby 2.4.7,1 considered vulnerable?

Trond Endrestøl trond.endrestol at
Sat Aug 31 07:10:00 UTC 2019

Is this to be expected?

  $ pkg audit -Fr
  vulnxml file up-to-date
  ruby-2.4.7,1 is vulnerable:
  RDoc -- multiple jQuery vulnerabilities
  CVE: CVE-2015-9251
  CVE: CVE-2012-6708

  Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade

  1 problem(s) in 1 installed package(s) found.

Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one 
of the corrected versions:


The link for agrees with me on this one:

Affected packages
2.4.0	<=	ruby	<	2.4.7,1
2.5.0	<=	ruby	<	2.5.6,1
2.6.0	<=	ruby	<	2.6.3,1
        rubygem-rdoc	<	6.1.2

Could this be a bug in pkg(8)?


More information about the freebsd-questions mailing list