|Summary:||security/vuxml request for version ranges for www/node entries|
|Product:||Ports & Packages||Reporter:||Miroslav Lachman <000.fbsd>|
|Component:||Individual Port(s)||Assignee:||freebsd-ports-bugs (Nobody) <ports-bugs>|
|Severity:||Affects Only Me||CC:||bhughes, ports-secteam|
Description Miroslav Lachman 2020-12-20 16:13:34 UTC
I would like to ask for version range of www/node https://vuxml.freebsd.org/freebsd/ad792169-2aa4-11eb-ab71-0022489ad614.html The current specifiacation is: Affected packages node < 15.2.1 node14 < 14.15.1 node12 < 12.19.1 www/node is specified without the lower end so if fix for www/node in quaterly branch is backported from www/node14 then we have a port www/node of version 14.15.1 which is not vulnerable but is reported vulnerable be pkg audit. Can the "affected" be always specified as "X.0.0 < X.Y.Z" and not just "< X.Y.Z"? example: node - 15.0.0 < 15.2.1 node14 - 14.0.0 < 14.15.1 node12 - 12.0.0 < 12.19.1 Similar situation affect some other ports (vulnerabilities) too. It caused problems for FreeBSD base vulnerablity too (last week)
Comment 1 Bradley T. Hughes 2021-01-18 07:55:53 UTC
Hi! I am closing this PR now that there is a new quarterly with the latest versions of all Node.js ports. I am sorry that I didn't manage to get 2020Q4 updated, the addition of www/node14 and switch to 15.x in www/node made it non-trivial. I will do better about keeping the quarterly branch up-to-date with the latest Node.js versions, with particular focus on the LTS releases. Thanks for the report! :)
Comment 2 Bradley T. Hughes 2021-01-18 07:57:05 UTC
*** Bug 251994 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Lachman 2021-01-18 09:37:41 UTC
(In reply to Bradley T. Hughes from comment #1) It is not just about the node versions it is about the style of version ranges reported in vuln.xml in general. I think we need to always set both sides: the minimum and maximum version. Not just "anything lower than". It caused problems in the past and will cause problems in the future too. Package of node was just an actual example.
Comment 4 Bradley T. Hughes 2021-01-18 09:40:01 UTC
I am re-opening this PR since this is an important detail that I missed.