Bug 251995 - security/vuxml request for version ranges for www/node entries
Summary: security/vuxml request for version ranges for www/node entries
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
: 251994 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-12-20 16:13 UTC by Miroslav Lachman
Modified: 2021-01-18 09:40 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2020-12-20 16:13:34 UTC
I would like to ask for version range of www/node https://vuxml.freebsd.org/freebsd/ad792169-2aa4-11eb-ab71-0022489ad614.html

The current specifiacation is:

Affected packages
node	<	15.2.1
node14	<	14.15.1
node12	<	12.19.1

www/node is specified without the lower end so if fix for www/node in quaterly branch is backported from www/node14 then we have a port www/node of version 14.15.1 which is not vulnerable but is reported vulnerable be pkg audit.
Can the "affected" be always  specified as "X.0.0 < X.Y.Z" and not just "< X.Y.Z"?
example: 
node -  15.0.0 < 15.2.1
node14 - 14.0.0 < 14.15.1
node12 - 12.0.0 < 12.19.1

Similar situation affect some other ports (vulnerabilities) too. It caused problems for FreeBSD base vulnerablity too (last week)
Comment 1 Bradley T. Hughes freebsd_committer 2021-01-18 07:55:53 UTC
Hi! I am closing this PR now that there is a new quarterly with the latest versions of all Node.js ports. I am sorry that I didn't manage to get 2020Q4 updated, the addition of www/node14 and switch to 15.x in www/node made it non-trivial. I will do better about keeping the quarterly branch up-to-date with the latest Node.js versions, with particular focus on the LTS releases.

Thanks for the report! :)
Comment 2 Bradley T. Hughes freebsd_committer 2021-01-18 07:57:05 UTC
*** Bug 251994 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Lachman 2021-01-18 09:37:41 UTC
(In reply to Bradley T. Hughes from comment #1)
It is not just about the node versions it is about the style of version ranges reported in vuln.xml in general. I think we need to always set both sides: the minimum and maximum version. Not just "anything lower than". It caused problems in the past and will cause problems in the future too.
Package of node was just an actual example.
Comment 4 Bradley T. Hughes freebsd_committer 2021-01-18 09:40:01 UTC
I am re-opening this PR since this is an important detail that I missed.