Details

Reviewers

otis
jrm
osa
jbeich
vvd

Commits

R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities

Summary

Approved by: jrm (mentor), otis (mentor), osa, jbeich

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

michaelo requested review of this revision.Jul 15 2025, 8:08 AM

michaelo created this revision.

Harbormaster completed remote builds in B65451: Diff 158533.Jul 15 2025, 8:08 AM

LGTM, but let also vvd@ (tomcat ports maintainer) check.

This revision is now accepted and ready to land.Jul 15 2025, 8:49 AM

michaelo added a reviewer: vvd.Jul 15 2025, 8:51 AM

jbeich requested changes to this revision.Jul 15 2025, 9:35 AM

jbeich added inline comments.

security/vuxml/vuln/2025.xml
270	`gt` (greather than) unlike `ge` (greater or equal) will skip lower bound of the range e.g., $ make validate $ pkg audit -f vuln-flat.xml tomcat110-11.0.0 0 problem(s) in 0 installed package(s) found.
274	Ditto: `gt` vs. `ge`.
278	Ditto: `gt` vs. `ge`.

This revision now requires changes to proceed.Jul 15 2025, 9:35 AM

Update with <ge>

Harbormaster completed remote builds in B65453: Diff 158535.Jul 15 2025, 10:08 AM

Done.

Add tomcat-devel to the list as well.

Add tomcat-devel

Harbormaster completed remote builds in B65459: Diff 158554.Jul 15 2025, 3:13 PM

In D51323#1172091, @vvd wrote:

Add tomcat-devel to the list as well.

Done.

vvd accepted this revision.Jul 15 2025, 3:32 PM

@jbeich, any objections?

jbeich added inline comments.Jul 15 2025, 6:20 PM

security/vuxml/vuln/2025.xml
270	Why lower bound is necessary? It doesn't include pre-releases like m26 before 0215567cf55a, 10.1.* series before b5f9ca9d84f3, 10.0.* series before 839de580f358, 9.0.* series before 0e0430dc191c. In non-devel ports lower bound is harmless but redundant. For example, tomcat* in VuXML from 2020 didn't use it.

michaelo added inline comments.Jul 15 2025, 6:23 PM

security/vuxml/vuln/2025.xml
270	Please note that I didn't add the lower bound, I am just fixing the range expression.

jbeich added inline comments.Jul 15 2025, 6:49 PM

security/vuxml/vuln/2025.xml
8883	Add `modified` like 3483eb36894a. Changing range is not cosmetic, so need to refresh vuxml.FreeBSD.org even if there were no new entries.

jbeich added inline comments.Jul 15 2025, 6:53 PM

security/vuxml/vuln/2025.xml
270	If you're not fixing drop tomcat-devel as out-of-scope. It has too few VuXML entries, so users are likely expected to stay up-to-date or switch to a stable version (suffixed packages).

Remove tomcat-devel

Harbormaster completed remote builds in B65467: Diff 158570.Jul 15 2025, 6:58 PM

@jbeich , we are now back to the minimalistic patch.

Looks fine. May still need <modified> but it's probably not critical.

This revision is now accepted and ready to land.Jul 15 2025, 7:10 PM

Add modified

This revision now requires review to proceed.Jul 15 2025, 7:27 PM

Harbormaster completed remote builds in B65468: Diff 158573.Jul 15 2025, 7:27 PM

This revision was not accepted when it landed; it landed in state Needs Review.Jul 16 2025, 8:06 PM

Closed by commit R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities (authored by michaelo). · Explain Why

This revision was automatically updated to reflect the committed changes.

michaelo added a commit: R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities.

security/vuxml: Fix ranges for Tomcat vulnerabilities
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 158639

security/vuxml/vuln/2025.xml

security/vuxml: Fix ranges for Tomcat vulnerabilitiesClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 158639

security/vuxml/vuln/2025.xml

security/vuxml: Fix ranges for Tomcat vulnerabilities
ClosedPublic
Actions

Revision Contents
Changeset List