Details
Diff Detail
- Lint
No Lint Coverage - Unit
No Test Coverage - Build Status
Buildable 18991 Build 18628: arc lint + arc unit
Event Timeline
security/vuxml/vuln.xml | ||
---|---|---|
66 | Do we have issues here with PORTEPOCH (and with vid=1e54d140-8493-11e8-a795-0028f8d09152)? I did some testing with pkg audit -f /usr/ports/security/vuxml/vuln.xml couchdb-x.x. pkg audit -f /usr/ports/security/vuxml/vuln.xml couchdb-1.7.2,2 pkg audit -f /usr/ports/security/vuxml/vuln.xml couchdb-1.7.1,2 Do we want <le>1.7.2,2</le> here and <lt>1.7.2,2</lt> for vid=1e54d140-8493-11e8-a795-0028f8d09152 ? |
Doing pkg audit -f /usr/ports/security/vuxml/vuln.xml when couchdb is installed doesn't work due to epoch as you mentioned, so I also need to fix this in
(mea culpa) VID 1e54d140-8493-11e8-a795-0028f8d09152 from https://svnweb.freebsd.org/ports?view=revision&revision=474445 as well.
security/vuxml/vuln.xml | ||
---|---|---|
66 | woops, thanks! That's not what I expected. I've been using the simplistic check to confirm I get expected output, but I need to check that the vuxml entry is not shown for the fictional next release to catch this next time. |
security/vuxml/vuln.xml | ||
---|---|---|
66 | Will there be future 1.x releases? Will you eventually remove databases/couchdb2 and upgrade database/couchdb to 2.x? |
security/vuxml/vuln.xml | ||
---|---|---|
66 | good question. future 1.x releases? -> extremely unlikely. I'm not sure what makes most sense from ports@ policy, but here's what I had in mind, but haven't discussed in the couch community yet: phase 1:
phase 2:
maybe phase 3?
my reasoning:
|
I am trying to make sense of the vuln entry with two different couchdb packages, couchdb-1.x.x,2 and couchdb2-2.x. Based on what you wrote, does <range><le>1.7.2,2</le></range> make more sense for the new entry, which I assume only applies to the couchdb-1.x.x,2 package?
OK I see what you mean.
- 2.1.2 and lower is vulnerable, but 2.2.0 is not.
- 1.7.2 is vulnerable, and will not be patched as it's (long) out of support and we're not doing any more releases on the 1.x branches
- therefore 2.2.0 is the only version that is not vulnerable, and I'm not expecting any later patches to address < 2.2.0
- If at some future point, couchdb2 is renamed to databases/couchdb, the vulnerability list will still be correct
I don't see any other pattern that covers this other than < 2.2.0.
Of course any new vulnerabilities for 2.x series will need to be reported against that port only.
my poudriere box has finally caught up with rebuilding all the things so I'll have those in soon.