[Bug 203227] vuln.xml incorrectly flagging ruby20 as insecure
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Sep 21 06:24:09 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203227
Bug ID: 203227
Summary: vuln.xml incorrectly flagging ruby20 as insecure
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Ports Framework
Assignee: portmgr at FreeBSD.org
Reporter: terry at tmk.com
CC: freebsd-ports-bugs at FreeBSD.org
"pkg audit -F" incorrectly reports ruby-2.0.0.647,1 as vulnerable. I have
confirmed that it is NOT vulnerable by checking both
https://www.ruby-lang.org/en/ and
https://vuxml.freebsd.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html.
I have "DEFAULT_VERSIONS+=ruby=2.0" in my /etc/make.conf file.
It appears that the problem is in the vuln.xml file, as it checks for installed
ports named ruby20, ruby, and ruby22. If I remove the vuln.xml entry for
"ruby", the ruby20 port is no longer marked as vulnerable. It appears that some
part of the ports framework thinks that ruby20 is "ruby" for purposes of
checking for vulnerabilities.
I am not sure why that is happening, as "pkg info -o ruby" reports the origin
as ruby20.
Note: Bug filed after emailing ruby at freebsd.org and receiving no response after
10 days.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-ports-bugs
mailing list