ruby 1.8 (json issue) vs. vuxml
Matthias Andree
mandree at FreeBSD.org
Tue Feb 19 00:03:15 UTC 2013
Greetings,
following up to the IRC #bsdports discussion of Feb 18 23:30 UTC, where
people were wondering about false positives in Ruby 1.8, I propose this
change, with two effects:
1. make the "greater than" a "greater than or equal"
2. list the portepoch properly on the "ge" part, so that 1.8.7.371,1 is
no more flagged as vulnerable.
Watch:
$ pkg_version -t 1.8.7.371,1 1.9
>
$ pkg_version -t 1.8.7.371,1 1.9,1
<
Thus, change vuln.xml like this:
<package>
<name>ruby</name>
- <range><gt>1.9</gt><lt>1.9.3.385,1</lt></range>
+ <range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-json</name>
and ruby 1.8.7.371,1 will no longer be flagged vulnerable WRT JSON stuff.
*NOTE:* A similar patch is required for the RDoc XSS issue.
Full patch attached, to be applied in /usr/ports/security/vuxml/.
HTH
Best regards
Matthias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-fix-false-vulnerable.patch
Type: text/x-patch
Size: 621 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ruby/attachments/20130219/053b8868/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ruby/attachments/20130219/053b8868/attachment.sig>
More information about the freebsd-ruby
mailing list