On 2011-05-25 01:36, Wesley Shields wrote: > On Wed, May 25, 2011 at 01:26:38AM +0200, olli hauer wrote: >> On 2011-05-25 01:24, Wesley Shields wrote: >>> On Tue, May 24, 2011 at 10:59:52PM +0000, Olli Hauer wrote: >>>> ohauer 2011-05-24 22:59:52 UTC >>>> >>>> FreeBSD ports repository >>>> >>>> Modified files: >>>> security/vuxml vuln.xml >>>> Log: >>>> - use apr-* and add <gt></gt> entries for all apr0/apr1 issues >>>> (<gt> .. is needed else the parser cannot make a difference >>>> between apr0 and apr1) >>>> >>>> - lowercase ViewVC -> viewvc >>>> >>>> Thanks Jun Kuriyama ( kuriyama@ ) for the notice and the patch >>>> for the apr entries. >>> >>> The apr-* stuff broke the build. >>> >>> -- WXS >>> >> >> grrrr, I see the same but only on my 8.2 machines no issues on 7.4. >> >> Do you have a change to verify this (7.4/8.x)? > > I'm not sure what you mean, and it is probably because I was not clear. > The vuxml build is broken. I can't speak for the build of the ports > themselves. > > Sorry for the confusion. > > -- WXS
Hm, now I need some one help. I just notice issue with vxquery portaudit parser. If a vuln.xml entry does not match the exact portname it will not detected. For example the entry <package> <name>apr-*</name> <range><ge>1.4.0.1.3.0</ge><lt>1.4.5.1.3.12</lt></range> </package> will be detected by portaudit but vxquery expects in my case <package> <name>apr-ipv6-devrandom-gdbm-db47</name> <range><lt>1.4.5.1.3.12</lt></range> </package> Unfortunately the package name for apr reflects the build options and we can end up with a view hundred different package names. (5 options * possible (bdb|mysql|pgsql|ldap|sqlite) versions) So what's the best way to document the apr issue? This entry is not recognized by portaudit and vxquery. <package> <name>apr1</name> <range><lt>1.4.5.1.3.12</lt></range> </package> _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscr...@freebsd.org"
