Bug 253828

Summary: security/vuxml: Update vulnerabilities in ruby, jruby
Product: Ports & Packages Reporter: Thomas Hurst <tom>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed Overcome By Events    
Severity: Affects Only Me CC: joneum, lwhsu, ports-secteam, ruby
Priority: --- Flags: bugzilla: maintainer-feedback? (ports-secteam)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Incomplete patch, modifying 3 entries and adding 1 none

Description Thomas Hurst 2021-02-24 21:54:30 UTC
Created attachment 222802 [details]
Incomplete patch, modifying 3 entries and adding 1

Some Ruby-only entries also needed to apply to JRuby.  A Ruby entry was also missing.

The patch is incomplete - in particular the ruby versions likely need tweaking to match the port versions.  Sadly I'm a bit stuck because I can't get pkg to parse it and make validate hangs with:

/usr/local/bin/xmllint --valid --noout /usr/local/poudriere/ports/default/security/vuxml/vuln-flat.xml
/usr/local/share/xml/catalog.ports:1: parser error : Start tag expected, '<' not found
PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-

A plain parse-only xmllint passes fine so I'm not really sure what's going on.
Comment 1 Li-Wen Hsu freebsd_committer freebsd_triage 2021-02-25 04:33:33 UTC
Also add maintainers because everyone is welcomed to update vuxml, and more encouraged by the maintainers.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2022-04-27 10:18:53 UTC
^Triage Reset assignee (timeout; 14 months), leave in CC (port maintainer)

@Thomas Does this still need addressing (it hasnt been correctly elsewhere in the meantime?)
Comment 3 Thomas Hurst 2022-04-27 14:29:49 UTC
(In reply to Kubilay Kocak from comment #2)

None of these have been applied in other forms, no.  At this point they're more of historic interest.
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2024-02-12 13:00:07 UTC
Is this PR still relevant or can it be closed?
Comment 5 Thomas Hurst 2024-02-12 14:04:12 UTC
It's an old issue in EOL Ruby, on a gem nobody should be using in a production context anyway.  Probably not worth the effort of applying at this point.