ruby 2.4.7,1 considered vulnerable?

[Trond Endrestøl]

Is this to be expected?

  $ pkg audit -Fr
  vulnxml file up-to-date
  ruby-2.4.7,1 is vulnerable:
  RDoc -- multiple jQuery vulnerabilities
  CVE: CVE-2015-9251
  CVE: CVE-2012-6708
  WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html

  Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade

  1 problem(s) in 1 installed package(s) found.

Given this entry in /var/db/pkg/vuln.xml, I expected 2.4.7,1 to be one 
of the corrected versions:

      <package>
        <name>ruby</name>
        <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range>
        <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range>
        <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range>
      </package>

The link for vuxml.FreeBSD.org agrees with me on this one:

Affected packages
2.4.0	<=	ruby	<	2.4.7,1
2.5.0	<=	ruby	<	2.5.6,1
2.6.0	<=	ruby	<	2.6.3,1
        rubygem-rdoc	<	6.1.2

Could this be a bug in pkg(8)?

-- 
Trond.