Created attachment 153746 [details] Makefile with CPE information added lang/gcc47-aux has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2008-1367). This patch add CPE information as suggested in the FreeBSD wiki[0]. [0] https://wiki.freebsd.org/Ports/CPE
according to: http://www.cvedetails.com/cve/CVE-2008-1367/ CVE-2008-1367 applies to gcc 4.3.x gcc-aux is version 4.7.4 To me this CVE is not applicable. Why do you think it is?
A commit references this bug: Author: marino Date: Thu Mar 5 09:01:27 UTC 2015 New revision: 380478 URL: https://svnweb.freebsd.org/changeset/ports/380478 Log: lang/gcc-aux, lang/gcc47-aux, lang/gnatdroid-arm*: Add CPE information There are no active CVEs against GCC 4.7.x or 4.9.x, but GCC is listed in the CPE database due to earlier CVEs. To prepare for future CVEs, add the CPE information. Note that CPE_VERSION has to be defined since these ports use their own version schemes rather than GCC version numbers. PR: 198252 PR: 198257 Submitted by: shun (dropcut.net) Changes: head/lang/gcc-aux/Makefile.common head/lang/gcc47-aux/Makefile.common
Thanks, two changes 1) I had to add CPE_VERSION entry since gcc47-aux uses a date for a version, not the gcc version, so the CPE_STR was wrong without it 2) I moved it to Makefile.common. No other port uses Makefile.common (anymore) so it doesn't make a difference, it's just cleaner there. Thanks!