Details

Reviewers

otis
jrm
osa
jbeich
vvd

Commits

R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities

Summary

Approved by: jrm (mentor), otis (mentor), osa, jbeich

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 65467
Build 62350: arc lint + arc unit

Event Timeline

michaelo requested review of this revision.Tue, Jul 15, 8:08 AM

michaelo created this revision.

Harbormaster completed remote builds in B65451: Diff 158533.Tue, Jul 15, 8:08 AM

LGTM, but let also vvd@ (tomcat ports maintainer) check.

This revision is now accepted and ready to land.Tue, Jul 15, 8:49 AM

michaelo added a reviewer: vvd.Tue, Jul 15, 8:51 AM

jbeich requested changes to this revision.Tue, Jul 15, 9:35 AM

jbeich added inline comments.

security/vuxml/vuln/2025.xml
269	`gt` (greather than) unlike `ge` (greater or equal) will skip lower bound of the range e.g., $ make validate $ pkg audit -f vuln-flat.xml tomcat110-11.0.0 0 problem(s) in 0 installed package(s) found.
273	Ditto: `gt` vs. `ge`.
277	Ditto: `gt` vs. `ge`.

This revision now requires changes to proceed.Tue, Jul 15, 9:35 AM

Update with <ge>

Harbormaster completed remote builds in B65453: Diff 158535.Tue, Jul 15, 10:08 AM

Done.

Add tomcat-devel to the list as well.

Add tomcat-devel

Harbormaster completed remote builds in B65459: Diff 158554.Tue, Jul 15, 3:13 PM

In D51323#1172091, @vvd wrote:

Add tomcat-devel to the list as well.

Done.

vvd accepted this revision.Tue, Jul 15, 3:32 PM

@jbeich, any objections?

jbeich added inline comments.Tue, Jul 15, 6:20 PM

security/vuxml/vuln/2025.xml
269	Why lower bound is necessary? It doesn't include pre-releases like m26 before 0215567cf55a, 10.1.* series before b5f9ca9d84f3, 10.0.* series before 839de580f358, 9.0.* series before 0e0430dc191c. In non-devel ports lower bound is harmless but redundant. For example, tomcat* in VuXML from 2020 didn't use it.

michaelo added inline comments.Tue, Jul 15, 6:23 PM

security/vuxml/vuln/2025.xml
269	Please note that I didn't add the lower bound, I am just fixing the range expression.

jbeich added inline comments.Tue, Jul 15, 6:49 PM

security/vuxml/vuln/2025.xml
8882	Add `modified` like 3483eb36894a. Changing range is not cosmetic, so need to refresh vuxml.FreeBSD.org even if there were no new entries.

jbeich added inline comments.Tue, Jul 15, 6:53 PM

security/vuxml/vuln/2025.xml
269	If you're not fixing drop tomcat-devel as out-of-scope. It has too few VuXML entries, so users are likely expected to stay up-to-date or switch to a stable version (suffixed packages).

Remove tomcat-devel

Harbormaster completed remote builds in B65467: Diff 158570.Tue, Jul 15, 6:58 PM

@jbeich , we are now back to the minimalistic patch.

Looks fine. May still need <modified> but it's probably not critical.

This revision is now accepted and ready to land.Tue, Jul 15, 7:10 PM

Add modified

This revision now requires review to proceed.Tue, Jul 15, 7:27 PM

Harbormaster completed remote builds in B65468: Diff 158573.Tue, Jul 15, 7:27 PM

This revision was not accepted when it landed; it landed in state Needs Review.Wed, Jul 16, 8:06 PM

Closed by commit R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities (authored by michaelo). · Explain Why

This revision was automatically updated to reflect the committed changes.

michaelo added a commit: R11:8cc2e449b7a6: security/vuxml: Fix ranges for Tomcat vulnerabilities.

security/vuxml: Fix ranges for Tomcat vulnerabilities
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 158570

security/vuxml/vuln/2025.xml

security/vuxml: Fix ranges for Tomcat vulnerabilitiesClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 158570

security/vuxml/vuln/2025.xml

security/vuxml: Fix ranges for Tomcat vulnerabilities
ClosedPublic
Actions

Revision Contents
Changeset List