[Bug 251995] security/vuxml request for version ranges for www/node entries

Sun Dec 20 16:13:35 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251995

            Bug ID: 251995
           Summary: security/vuxml request for version ranges for www/node
                    entries
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: 000.fbsd at quip.cz
                CC: bhughes at freebsd.org, ports-secteam at FreeBSD.org
                CC: bhughes at freebsd.org, ports-secteam at FreeBSD.org

I would like to ask for version range of www/node
https://vuxml.freebsd.org/freebsd/ad792169-2aa4-11eb-ab71-0022489ad614.html

The current specifiacation is:

Affected packages
node    <       15.2.1
node14  <       14.15.1
node12  <       12.19.1

www/node is specified without the lower end so if fix for www/node in quaterly
branch is backported from www/node14 then we have a port www/node of version
14.15.1 which is not vulnerable but is reported vulnerable be pkg audit.
Can the "affected" be always  specified as "X.0.0 < X.Y.Z" and not just "<
X.Y.Z"?
example: 
node -  15.0.0 < 15.2.1
node14 - 14.0.0 < 14.15.1
node12 - 12.0.0 < 12.19.1

Similar situation affect some other ports (vulnerabilities) too. It caused
problems for FreeBSD base vulnerablity too (last week)

-- 
You are receiving this mail because:
You are the assignee for the bug.