Bug 231054

Summary: security/vuxml: vuln.xml fix for wrong entry for wpa_supplicant (bad version range)
Product: Ports & Packages Reporter: Miroslav Lachman <000.fbsd>
Component: Individual Port(s)Assignee: Cy Schubert <cy>
Status: Closed FIXED    
Severity: Affects Some People CC: ports-secteam
Priority: --- Keywords: needs-qa, security
Version: Latest   
Hardware: Any   
OS: Any   

Description Miroslav Lachman 2018-08-31 10:21:40 UTC 
vuln.xml in revision 477201 has entry vid="6bedc863-9fbe-11e8-945f-206a8a720317" for wpa_supplicant -- unauthenticated encrypted EAPOL-Key data
It affects base too and there are FreeBSD version range identifiers. Because there is no "ge" specified, pkg audit FreeBSD-10.4_11 says it is vulnerable even if this was fixed in 10.4-p10

--- vuln.xml.orig     2018-08-30 03:02:57.656941000 +0200
+++ vuln.xml          2018-08-31 12:13:53.564345000 +0200
@@ -525,8 +525,8 @@
       </package>
       <package>
        <name>FreeBSD</name>
-       <range><le>10.4_10</le></range>
-       <range><le>11.2_1</le></range>
+       <range><ge>10.4</ge><le>10.4_10</le></range>
+       <range><ge>11.2</ge><le>11.2_1</le></range>
       </package>
     </affects>
     <description>

credit goes to Dan Lukes who noted this in private discussion
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2018-09-07 03:12:52 UTC 
Assign to committer of ports r477201
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-09-07 03:49:58 UTC 
A commit references this bug:

Author: cy
Date: Fri Sep  7 03:49:47 UTC 2018
New revision: 479178
URL: https://svnweb.freebsd.org/changeset/ports/479178

Log:
  Remove duplicate entry for WPA EAPOL vulnerability. Use r477829 instead
  as its version range is more complete.

  PR:		231054
  Reported by:	000.fbsd@quip.cz

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2018-09-07 03:50:54 UTC 
feld@ committed a duplicate entry which does have the correct range. I've removed not as correct one.