While vuxml.freebsd.org link defines everything below phpMyAdmin version 4.9.5 as vulnerable, pkg identifies 4.9.5 as vulnerable # pkg info | grep phpMyAdmin phpMyAdmin-php72-4.9.5 Set of PHP-scripts to manage MySQL over the web # pkg audit -F vulnxml file up-to-date phpMyAdmin-php72-4.9.5 is vulnerable: phpMyAdmin -- SQL injection WWW: https://vuxml.FreeBSD.org/freebsd/97fcc60a-6ec0-11ea-a84a-4c72b94353b5.html
Its the "phpMyAdmin{-php*} < 5.0.2" entries that are causing this: phpMyAdmin < 5.0.2 phpMyAdmin-php72 < 5.0.2 phpMyAdmin-php73 < 5.0.2 phpMyAdmin-php74 < 5.0.2 One would address this in the short term by removing the "< 5.0.2" entries for the *phpMyAdmin* (not phpmyadmin5) packages, as all 5.x versions live in the phpmyadmin5 port. This is an issue, as at some point databases/phpmyadmin will be presumably updated to 5.x (when say, 4.x is deprecated), at which point the vuxml entries will be incorrect
Since there is a single <package> definition (see below), each (every) <range> is added for each (every) <name> <affects> <package> <name>phpMyAdmin</name> <name>phpMyAdmin-php72</name> <name>phpMyAdmin-php73</name> <name>phpMyAdmin-php74</name> <name>phpMyAdmin5</name> <name>phpMyAdmin5-php72</name> <name>phpMyAdmin5-php73</name> <name>phpMyAdmin5-php74</name> <range><lt>4.9.5</lt></range> <range><lt>5.0.2</lt></range> </package> </affects> Two <package> blocks, one with phpmyadmin, the other with phpmyadmin5, each with their own ranges, should resolve the issue
A commit references this bug: Author: fjoe Date: Tue May 5 05:32:48 UTC 2020 New revision: 534026 URL: https://svnweb.freebsd.org/changeset/ports/534026 Log: Fix version range for 97fcc60a-6ec0-11ea-a84a-4c72b94353b5: phpMyAdmin 4.9.5 is not vulnerable PR: 245096 Changes: head/security/vuxml/vuln.xml