Page MenuHomeFreeBSD

security/vuxml: Fix ranges for Tomcat vulnerabilities
ClosedPublic

Authored by michaelo on Jul 15 2025, 8:08 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 8, 8:49 PM
Unknown Object (File)
Tue, Oct 7, 1:22 PM
Unknown Object (File)
Fri, Oct 3, 9:25 PM
Unknown Object (File)
Fri, Oct 3, 4:39 PM
Unknown Object (File)
Fri, Oct 3, 3:56 AM
Unknown Object (File)
Thu, Oct 2, 10:51 PM
Unknown Object (File)
Wed, Oct 1, 10:04 PM
Unknown Object (File)
Wed, Oct 1, 12:28 PM
Subscribers
None

Details

Summary

Approved by: jrm (mentor), otis (mentor), osa, jbeich

Diff Detail

Repository
R11 FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

michaelo created this revision.

LGTM, but let also vvd@ (tomcat ports maintainer) check.

This revision is now accepted and ready to land.Jul 15 2025, 8:49 AM
jbeich requested changes to this revision.Jul 15 2025, 9:35 AM
jbeich added inline comments.
security/vuxml/vuln/2025.xml
270

gt (greather than) unlike ge (greater or equal) will skip lower bound of the range e.g.,

$ make validate
$ pkg audit -f vuln-flat.xml tomcat110-11.0.0
0 problem(s) in 0 installed package(s) found.
274

Ditto: gt vs. ge.

278

Ditto: gt vs. ge.

This revision now requires changes to proceed.Jul 15 2025, 9:35 AM

Add tomcat-devel to the list as well.

In D51323#1172091, @vvd wrote:

Add tomcat-devel to the list as well.

Done.

security/vuxml/vuln/2025.xml
270

Why lower bound is necessary? It doesn't include pre-releases like m26 before 0215567cf55a, 10.1.* series before b5f9ca9d84f3, 10.0.* series before 839de580f358, 9.0.* series before 0e0430dc191c.

In non-devel ports lower bound is harmless but redundant. For example, tomcat* in VuXML from 2020 didn't use it.

security/vuxml/vuln/2025.xml
270

Please note that I didn't add the lower bound, I am just fixing the range expression.

security/vuxml/vuln/2025.xml
8883

Add modified like 3483eb36894a. Changing range is not cosmetic, so need to refresh vuxml.FreeBSD.org even if there were no new entries.

security/vuxml/vuln/2025.xml
270

If you're not fixing drop tomcat-devel as out-of-scope. It has too few VuXML entries, so users are likely expected to stay up-to-date or switch to a stable version (suffixed packages).

@jbeich , we are now back to the minimalistic patch.

Looks fine. May still need <modified> but it's probably not critical.

This revision is now accepted and ready to land.Jul 15 2025, 7:10 PM
This revision now requires review to proceed.Jul 15 2025, 7:27 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jul 16 2025, 8:06 PM
This revision was automatically updated to reflect the committed changes.