Bug 227293

Summary: www/gitlab: 10.4.6 incorrectly marked as vulnerable
Product: Ports & Packages Reporter: Marián Černý <majo-bugs.freebsd.org>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: mfechner
Priority: --- Flags: bugzilla: maintainer-feedback? (mfechner)
Version: Latest   
Hardware: Any   
OS: Any   

Description Marián Černý 2018-04-05 09:39:18 UTC 
When trying to install gitlab from ports I get the following error:

    ****> Going to install :: www/gitlab ::
    ===>  gitlab-10.4.6 has known vulnerabilities:
    gitlab-10.4.6 is vulnerable:
    Gitlab -- multiple vulnerabilities
    CVE: CVE-2018-8801
    WWW: https://vuxml.FreeBSD.org/freebsd/dc0c201c-31da-11e8-ac53-d8cb8abf62dd.html
    
    1 problem(s) in the installed packages found.
    => Please update your ports tree and try again.
    => Note: Vulnerable ports are marked as such even if there is no update available.
    => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
    *** Error code 1
    
    Stop.
    make: stopped in /usr/ports/www/gitlab

However the last commit into the port mentions that CVE-2018-8801, so I guess it should be fixed.

When I check website related to the vulnerability (https://vuxml.FreeBSD.org/freebsd/dc0c201c-31da-11e8-ac53-d8cb8abf62dd.html) I can see the following version affected:

    Affected packages
    8.3	<=	gitlab	<	10.5.6
    8.3	<=	gitlab	<	10.4.6
    8.3	<=	gitlab	<	10.3.9

Isn't the problem, that 10.4.6 is marked as vulnerable caused by the first expression 8.3 <= gitlab < 10.5.6? Shouldn't be the affected version specified as follows?:

    Affected packages
    10.5.0	<=	gitlab	<	10.5.6
    10.4.0	<=	gitlab	<	10.4.6
    8.3	<=	gitlab	<	10.3.9
Comment 1 Matthias Fechner freebsd_committer freebsd_triage 2018-04-08 09:04:55 UTC 
Thanks for your report, I created a review for it to get it fixed:
https://reviews.freebsd.org/D14999

But currently it is not that critical anymore, as a new security bug was found and fixed, which is already fixed in ports.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-04-09 13:56:08 UTC 
A commit references this bug:

Author: mfechner
Date: Mon Apr  9 13:55:20 UTC 2018
New revision: 466857
URL: https://svnweb.freebsd.org/changeset/ports/466857

Log:
  Fixed a wrong version definition for gitlab that report 10.4.6 as affected.

  PR:		227293
  Reported by:	majo-bugs.freebsd.org@cerny.sk
  Reviewed by:	dbaio, swills (mentor)
  Approved by:	swills (mentor)
  Differential Revision:	https://reviews.freebsd.org/D14999

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Matthias Fechner freebsd_committer freebsd_triage 2018-04-09 13:58:50 UTC 
Problem is fixed now, please close this CR if you accept it.
Thanks a lot for your report!
Comment 4 Marián Černý 2018-04-09 15:44:54 UTC 
Thanks for the fix.