Bug 197494 - [patch] security/tor-devel: add CPE information
Summary: [patch] security/tor-devel: add CPE information
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Brendan Fabeny
Depends on:
Reported: 2015-02-09 17:33 UTC by shun
Modified: 2015-03-09 09:39 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (bf)

Makefile with CPE info added (390 bytes, patch)
2015-02-09 17:33 UTC, shun
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description shun 2015-02-09 17:33:14 UTC
Created attachment 152808 [details]
Makefile with CPE info added

security/tor-devel has had vulnerabilities with a CVE number (e.g. CVE-2014-5117)[0]. This patch adds CPE information as suggested in the FreeBSD wiki[1].

[0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5117
[1] https://wiki.freebsd.org/Ports/CPE
Comment 1 Bugzilla Automation freebsd_committer 2015-02-09 17:33:14 UTC
Auto-assigned to maintainer bf@FreeBSD.org
Comment 2 commit-hook freebsd_committer 2015-03-08 15:52:50 UTC
A commit references this bug:

Author: bf
Date: Sun Mar  8 15:52:00 UTC 2015
New revision: 380776
URL: https://svnweb.freebsd.org/changeset/ports/380776

  update to [1]; use cpe [2]; adjust rc-script REQUIRES [3];
  use @sample [4]

  PR:		197839 [1], 197494 [2], 197998 [3], 198164 [4]
  Submitted by:	C. Sturm [1], J. Beich [3], amdmi3 [4]

Comment 3 Brendan Fabeny freebsd_committer 2015-03-09 07:10:22 UTC
I am not very happy with an additional vulnerability reporting mandate, especially for a developer port, and with a database that does not include many problems that may affect tor users.  Nevertheless, I've added the information, with further adjustments needed to match the cpe data properly.
Comment 4 shun 2015-03-09 09:39:41 UTC
(In reply to Brendan Fabeny from comment #3)

> ... an additional vulnerability reporting mandate ...
> .. database that does not include many problems
Just to clear up a misconception: CPE is not about vulnerability reporting, it more aimed software inventory management (since it identifies specific software versions, vendors and platforms) . This in turn fits with vulnerability reporting, but is not the core purpose.