Bug 240227

Summary: lang/ruby24: 2.4.7,1 still marked as vulnerable
Product: Ports & Packages Reporter: Trond Endrestøl <Trond.Endrestol>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (ruby)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Trond Endrestøl 2019-08-31 08:12:51 UTC 
I believe the PORTEPOCH has to go in the entry for RDoc.

$ pkg audit -Fr
vulnxml file up-to-date
ruby-2.4.7,1 is vulnerable:
RDoc -- multiple jQuery vulnerabilities
CVE: CVE-2015-9251
CVE: CVE-2012-6708
WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html

Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade

1 problem(s) in 1 installed package(s) found.

I.e.:
        <package>
          <name>ruby</name>
          <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range>
          <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range>
          <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range>
        </package>

should be:

        <package>
          <name>ruby</name>
          <range><ge>2.4.0</ge><lt>2.4.7</lt></range>
          <range><ge>2.5.0</ge><lt>2.5.6</lt></range>
          <range><ge>2.6.0</ge><lt>2.6.3</lt></range>
        </package>
Comment 1 Po-Chuan Hsieh freebsd_committer freebsd_triage 2019-08-31 09:04:38 UTC 
Committed. Thanks!
Comment 2 commit-hook freebsd_committer freebsd_triage 2019-08-31 09:05:06 UTC 
A commit references this bug:

Author: sunpoet
Date: Sat Aug 31 09:04:11 UTC 2019
New revision: 510361
URL: https://svnweb.freebsd.org/changeset/ports/510361

Log:
  Update ruby version

  PR:		240227
  Reported by:	Trond Endrestol <Trond.Endrestol@ximalas.info>

Changes:
  head/security/vuxml/vuln.xml