Bug 240227 - lang/ruby24: 2.4.7,1 still marked as vulnerable
Summary: lang/ruby24: 2.4.7,1 still marked as vulnerable
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Po-Chuan Hsieh
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-31 08:12 UTC by Trond Endrestøl
Modified: 2019-08-31 09:05 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (ruby)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Trond Endrestøl 2019-08-31 08:12:51 UTC 
I believe the PORTEPOCH has to go in the entry for RDoc.

$ pkg audit -Fr
vulnxml file up-to-date
ruby-2.4.7,1 is vulnerable:
RDoc -- multiple jQuery vulnerabilities
CVE: CVE-2015-9251
CVE: CVE-2012-6708
WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html

Packages that depend on ruby: ruby24-bdb, dtrace-toolkit, portupgrade

1 problem(s) in 1 installed package(s) found.

I.e.:
        <package>
          <name>ruby</name>
          <range><ge>2.4.0</ge><lt>2.4.7,1</lt></range>
          <range><ge>2.5.0</ge><lt>2.5.6,1</lt></range>
          <range><ge>2.6.0</ge><lt>2.6.3,1</lt></range>
        </package>

should be:

        <package>
          <name>ruby</name>
          <range><ge>2.4.0</ge><lt>2.4.7</lt></range>
          <range><ge>2.5.0</ge><lt>2.5.6</lt></range>
          <range><ge>2.6.0</ge><lt>2.6.3</lt></range>
        </package>
Comment 1 Po-Chuan Hsieh freebsd_committer freebsd_triage 2019-08-31 09:04:38 UTC 
Committed. Thanks!
Comment 2 commit-hook freebsd_committer freebsd_triage 2019-08-31 09:05:06 UTC 
A commit references this bug:

Author: sunpoet
Date: Sat Aug 31 09:04:11 UTC 2019
New revision: 510361
URL: https://svnweb.freebsd.org/changeset/ports/510361

Log:
  Update ruby version

  PR:		240227
  Reported by:	Trond Endrestol <Trond.Endrestol@ximalas.info>

Changes:
  head/security/vuxml/vuln.xml