ruby 2.4.7,1 considered vulnerable?
MJ
mafsys1234 at gmail.com
Sat Aug 31 07:43:21 UTC 2019
On 31/08/2019 5:09 pm, Trond Endrestøl wrote:
> Is this to be expected?
>
> $ pkg audit -Fr
> vulnxml file up-to-date
> ruby-2.4.7,1 is vulnerable:
> RDoc -- multiple jQuery vulnerabilities
> CVE: CVE-2015-9251
> CVE: CVE-2012-6708
> WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html
>
> Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade
>
> 1 problem(s) in 1 installed package(s) found.
>
> Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one
> of the corrected versions:
>
> <package>
> <name>ruby</name>
> <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range>
> <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range>
> <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range>
> </package>
>
> The link for vuxml.FreeBSD.org agrees with me on this one:
>
> Affected packages
> 2.4.0 <= ruby < 2.4.7,1
> 2.5.0 <= ruby < 2.5.6,1
> 2.6.0 <= ruby < 2.6.3,1
> rubygem-rdoc < 6.1.2
>
> Could this be a bug in pkg(8)?
If the fix for the vulnerability is in 2.4.7 then it would seem that way.
Given the liberal use of portepoch in the package versions I expect the maintainer has got confused.
Indeed perhaps it's the portepoch that's causing the issue. Perhaps contact the maintainer to get it
worked through?
More information about the freebsd-questions
mailing list