Bug 227293 - www/gitlab: 10.4.6 incorrectly marked as vulnerable
Summary: www/gitlab: 10.4.6 incorrectly marked as vulnerable
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-05 09:39 UTC by Marián Černý
Modified: 2018-04-09 15:44 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (mfechner)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marián Černý 2018-04-05 09:39:18 UTC 
When trying to install gitlab from ports I get the following error:

    ****> Going to install :: www/gitlab ::
    ===>  gitlab-10.4.6 has known vulnerabilities:
    gitlab-10.4.6 is vulnerable:
    Gitlab -- multiple vulnerabilities
    CVE: CVE-2018-8801
    WWW: https://vuxml.FreeBSD.org/freebsd/dc0c201c-31da-11e8-ac53-d8cb8abf62dd.html
    
    1 problem(s) in the installed packages found.
    => Please update your ports tree and try again.
    => Note: Vulnerable ports are marked as such even if there is no update available.
    => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
    *** Error code 1
    
    Stop.
    make: stopped in /usr/ports/www/gitlab

However the last commit into the port mentions that CVE-2018-8801, so I guess it should be fixed.

When I check website related to the vulnerability (https://vuxml.FreeBSD.org/freebsd/dc0c201c-31da-11e8-ac53-d8cb8abf62dd.html) I can see the following version affected:

    Affected packages
    8.3	<=	gitlab	<	10.5.6
    8.3	<=	gitlab	<	10.4.6
    8.3	<=	gitlab	<	10.3.9

Isn't the problem, that 10.4.6 is marked as vulnerable caused by the first expression 8.3 <= gitlab < 10.5.6? Shouldn't be the affected version specified as follows?:

    Affected packages
    10.5.0	<=	gitlab	<	10.5.6
    10.4.0	<=	gitlab	<	10.4.6
    8.3	<=	gitlab	<	10.3.9
Comment 1 Matthias Fechner freebsd_committer freebsd_triage 2018-04-08 09:04:55 UTC 
Thanks for your report, I created a review for it to get it fixed:
https://reviews.freebsd.org/D14999

But currently it is not that critical anymore, as a new security bug was found and fixed, which is already fixed in ports.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-04-09 13:56:08 UTC 
A commit references this bug:

Author: mfechner
Date: Mon Apr  9 13:55:20 UTC 2018
New revision: 466857
URL: https://svnweb.freebsd.org/changeset/ports/466857

Log:
  Fixed a wrong version definition for gitlab that report 10.4.6 as affected.

  PR:		227293
  Reported by:	majo-bugs.freebsd.org@cerny.sk
  Reviewed by:	dbaio, swills (mentor)
  Approved by:	swills (mentor)
  Differential Revision:	https://reviews.freebsd.org/D14999

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Matthias Fechner freebsd_committer freebsd_triage 2018-04-09 13:58:50 UTC 
Problem is fixed now, please close this CR if you accept it.
Thanks a lot for your report!
Comment 4 Marián Černý 2018-04-09 15:44:54 UTC 
Thanks for the fix.