In ports 86d1aa3caa24c97cdc63962d13fef16be12c84b7, an entry to VuXML was added for www/firefox, www/firefox-esr, and mail/thunderbird. It looks like the mail/thunderbird entry has a typo (copy/paste from the firefox-esr entry perhaps) where the version specifier "< 128.3.0,1" probably should be "< 128.3.0" without the ,1 port epoch. mail/thunderbird has never had PORTEPOCH set. The most recent advisories (https://www.mozilla.org/en-US/security/advisories/) indicate that thunderbird 128.3 is fixed for the vulnerabilities mentioned in the VuXML entry.
(In reply to John Hein from comment #0) Add committer of the vuxml change for feedback on this.
Fixed. Thanks for the heads up!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=67b39654b839b039d0cbf607ada2e50099cc3522 commit 67b39654b839b039d0cbf607ada2e50099cc3522 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2024-10-09 15:35:07 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-10-09 15:35:07 +0000 security/vuxml: Fix Thunderbird version PR: 281960 Reported by: John Hein <jcfyecrayz@liamekaens.com> Fixes: 86d1aa3caa24c97cdc63962d13fef16be12c84b7 security/vuxml/vuln/2024.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)