Created attachment 152808 [details] Makefile with CPE info added security/tor-devel has had vulnerabilities with a CVE number (e.g. CVE-2014-5117)[0]. This patch adds CPE information as suggested in the FreeBSD wiki[1]. [0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5117 [1] https://wiki.freebsd.org/Ports/CPE
Auto-assigned to maintainer bf@FreeBSD.org
A commit references this bug: Author: bf Date: Sun Mar 8 15:52:00 UTC 2015 New revision: 380776 URL: https://svnweb.freebsd.org/changeset/ports/380776 Log: update to 0.2.6.3-alpha [1]; use cpe [2]; adjust rc-script REQUIRES [3]; use @sample [4] PR: 197839 [1], 197494 [2], 197998 [3], 198164 [4] Submitted by: C. Sturm [1], J. Beich [3], amdmi3 [4] Changes: head/security/tor-devel/Makefile head/security/tor-devel/distinfo head/security/tor-devel/files/tor.in head/security/tor-devel/pkg-plist
I am not very happy with an additional vulnerability reporting mandate, especially for a developer port, and with a database that does not include many problems that may affect tor users. Nevertheless, I've added the information, with further adjustments needed to match the cpe data properly.
(In reply to Brendan Fabeny from comment #3) > ... an additional vulnerability reporting mandate ... > .. database that does not include many problems Just to clear up a misconception: CPE is not about vulnerability reporting, it more aimed software inventory management (since it identifies specific software versions, vendors and platforms) . This in turn fits with vulnerability reporting, but is not the core purpose.