fix for vuln.xml / committer needed
Miroslav Lachman
000.fbsd at quip.cz
Wed Sep 5 08:24:47 UTC 2018
Can somebody commit this easy fix, please?
It is annoying to get false alarms every day in daily security reports.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231054
Kind Regards
Miroslav Lachman
Miroslav Lachman wrote on 2018/08/31 12:24:
> Miroslav Lachman wrote on 2018/08/28 00:20:
>> Running pkg audit FreeBSD-10.4_11 gives me one vulnerability:
>>
>> # pkg audit FreeBSD-10.4_11
>> FreeBSD-10.4_11 is vulnerable:
>> wpa_supplicant -- unauthenticated encrypted EAPOL-Key data
>> CVE: CVE-2018-14526
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html
>>
>>
>> 1 problem(s) in the installed packages found.
>>
>> But information on the page shows it was fixed in 10.4-p10:
>>
>> Affected packages
>> wpa_supplicant < 2.6_2
>> FreeBSD <= 10.4_10
>> FreeBSD <= 11.2_1
>>
>> So... was it really fixed? Is there incorrect info in VuXML database
>> file or on the web page?
>
> As noted privately by Dan Lukes, there is wrong entry in vuln.xml -
> missing < 10.4 and < 11.2 (start of the range)
>
> --- vuln.xml.orig 2018-08-30 03:02:57.656941000 +0200
> +++ vuln.xml 2018-08-31 12:13:53.564345000 +0200
> @@ -525,8 +525,8 @@
> </package>
> <package>
> <name>FreeBSD</name>
> - <range><le>10.4_10</le></range>
> - <range><le>11.2_1</le></range>
> + <range><ge>10.4</ge><le>10.4_10</le></range>
> + <range><ge>11.2</ge><le>11.2_1</le></range>
> </package>
> </affects>
> <description>
>
> See PR 231054.
>
> Miroslav Lachman
More information about the freebsd-security
mailing list