FreeBSD Port: ruby20-2.0.0.645,1 - reported as vulnerable while it isn't ?
Steve Wills
swills at FreeBSD.org
Sun Jun 21 14:54:41 UTC 2015
Hi,
Did you build your own ports where ruby 2.0 was default? I see the package name
here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml look
like this:
3326 <name>ruby20</name>
3327 <range><lt>2.0.0.645,1</lt></range>
...
3330 <name>ruby</name>
3331 <range><lt>2.1.6,1</lt></range>
So I think maybe it's matching the second entry and then looking for a ruby
version 2.1.6,1 or newer. Not sure what the right solution is for this right
now.
Steve
On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. Břetislav Kubesa wrote:
> Hi,
>
> already for longer time while updating to 2.0.0.645,1 version, I'm
> getting message that it's vulnerable, but I think it's not the case as
> vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <= 2.0.0.645,1).
> However I'm not sure where to report it for checking, so I hope it's the
> right place here.
>
> Thank you.
>
>
> ---> Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20)
> ---> Building '/usr/ports/lang/ruby20'
> ===> Cleaning for ruby-2.0.0.645,1
> ===> ruby-2.0.0.645,1 has known vulnerabilities:
> ruby-2.0.0.645,1 is vulnerable:
> Ruby -- OpenSSL Hostname Verification Vulnerability
> CVE: CVE-2015-1855
> WWW:
> http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html
>
> Best regards,
> Bretislav Kubesa
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ruby/attachments/20150621/64417feb/attachment.sig>
More information about the freebsd-ruby
mailing list