When set as default ruby version, lang/ruby22 fails to build because of false-positive vulnerabilities as following: root@rolling-vm-freebsd1:/ # grep DEFAULT_VERSIONS /etc/make.conf DEFAULT_VERSIONS= apache=2.4 perl5=5.20 php=5.5 ruby=2.2 root@rolling-vm-freebsd1:/ # cd /usr/ports/lang/ruby22/ root@rolling-vm-freebsd1:/usr/ports/lang/ruby22 # make ===> ruby-2.2.0 has known vulnerabilities: ruby-2.2.0 is vulnerable: ruby -- multiple vulnerabilities CVE: CVE-2006-3694 WWW: http://vuxml.FreeBSD.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html ruby-2.2.0 is vulnerable: Multiple implementations -- DoS via hash algorithm collision CVE: CVE-2011-5037 CVE: CVE-2011-5036 CVE: CVE-2011-4815 CVE: CVE-2011-4838 WWW: http://vuxml.FreeBSD.org/freebsd/91be81e7-3fea-11e1-afc7-2c4138874f7d.html 1 problem(s) in the installed packages found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** Error code 1 Stop. make[1]: stopped in /am/eastasia/usr0/freebsd/ports/ports/lang/ruby22 *** Error code 1 Stop. make: stopped in /am/eastasia/usr0/freebsd/ports/ports/lang/ruby22 root@rolling-vm-freebsd1:/usr/ports/lang/ruby22 # Attached patch fixes the issue.
Auto-assigned to maintainer ruby@FreeBSD.org
Created attachment 153265 [details] Fix false-positive vulnerabilities when set as default ruby version.
A commit references this bug: Author: swills Date: Sat Feb 21 16:10:44 UTC 2015 New revision: 379530 URL: https://svnweb.freebsd.org/changeset/ports/379530 Log: Bump PORTEPOCH on lang/ruby22 to avoid false positive vulnerability report PR: 197875 Submitted by: Yasuhiro KIMURA <freebsd.org@pob01.utahime.jp> Changes: head/Mk/bsd.ruby.mk
Thanks, I knew all lang/ruby* had to have PORTEPOCH>=1 but forgot, thanks for the reminder.