http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494
A commit references this bug: Author: koobs Date: Thu Feb 4 08:48:40 UTC 2016 New revision: 408017 URL: https://svnweb.freebsd.org/changeset/ports/408017 Log: ports-mgmt/portscout: Loop through all PyPI files While processing Issue 206746 [1] for a security update to security/py-rsa (For versions < 3.3), it was noticed that Portscout had not identified the the newer version, released on 2016-01-13. Investigation revealed that the PyPI SiteHandler in Portscout only processed the first url/filename returned by PyPI, which in many cases is not a tar.gz, the default EXTRACT_SUFFIX for source distribution (sdist) files: [py-rsa] VersionCheck() [py-rsa] Checking site: https://pypi.python.org/packages/source/r/rsa/ Does site handler exist ... Yes (Portscout::SiteHandler::PyPI) GET https://pypi.python.org/pypi/rsa/json (Portscout::SiteHandler::PyPI) GET success: 200 Filename: rsa-3.3-py2.py3-none-any.whl FindNewest: Checking rsa-3.3-py2.py3-none-any.whl ... against port DISTFILES. FindNewest: Checking DISTFILE ... rsa-3.1.4.tar.gz (ver: 3.1.4, sufx: .tar.gz) [py-rsa] Done This change backports a commit [1] made to Portroach which adds a loop to enumerate all URLs/filenames in the PyPI JSON response, not just the first. [1] https://github.com/jasperla/portroach/commit/e93b8331f6e5f850bbb5faca866efcbf73de756c PR: 206746 [1] Obtained from: https://github.com/jasperla/portroach Changes: head/ports-mgmt/portscout/Makefile head/ports-mgmt/portscout/files/files-Portscout-SiteHandler-PyPI.pm head/ports-mgmt/portscout/files/patch-Portscout_SiteHandler_PyPI.pm
A commit references this bug: Author: koobs Date: Thu Feb 4 10:35:32 UTC 2016 New revision: 408019 URL: https://svnweb.freebsd.org/changeset/ports/408019 Log: security/vuxml: Add CVE-2016-1494 for security/py-rsa PR: 206746 Reported by: Sevan Janiyan <venture37 geeklan co.uk> Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: koobs Date: Thu Feb 4 10:39:49 UTC 2016 New revision: 408021 URL: https://svnweb.freebsd.org/changeset/ports/408021 Log: security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494) - Update PORTVERSION and distinfo checksum (3.3) - Modernize TEST entries (test target, TEST_DEPENDS, et al) - Update setup.py patch (zip_safe no longer needed) - Add LICENSE_FILE - Enable NO_ARCH This version fixed a security vulnerability: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494 PR: 206746 Reported by: Sevan Janiyan <venture37 geeklan co.uk> Security: e78bfc9d-cb1e-11e5-b251-0050562a4d7b Security: CVE-2016-1494 MFH: 2016Q1 Changes: head/security/py-rsa/Makefile head/security/py-rsa/distinfo head/security/py-rsa/files/patch-setup.py
A commit references this bug: Author: koobs Date: Thu Feb 4 10:44:34 UTC 2016 New revision: 408022 URL: https://svnweb.freebsd.org/changeset/ports/408022 Log: MFH: r408021 security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494) - Update PORTVERSION and distinfo checksum (3.3) - Modernize TEST entries (test target, TEST_DEPENDS, et al) - Update setup.py patch (zip_safe no longer needed) - Add LICENSE_FILE - Enable NO_ARCH This version fixed a security vulnerability: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494 PR: 206746 Reported by: Sevan Janiyan <venture37 geeklan co.uk> Security: e78bfc9d-cb1e-11e5-b251-0050562a4d7b Security: CVE-2016-1494 Approved by: ports-secteam (security) Changes: _U branches/2016Q1/ branches/2016Q1/security/py-rsa/Makefile branches/2016Q1/security/py-rsa/distinfo branches/2016Q1/security/py-rsa/files/patch-setup.py
Committed, thank you for the report Sevan. You should join ports-secteam :)