From nobody@FreeBSD.org  Wed Sep  5 10:11:20 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F19E316A417
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Sep 2007 10:11:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E0A9B13C467
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Sep 2007 10:11:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l85ABKXc081648
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 Sep 2007 10:11:20 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l85ABKax081647;
	Wed, 5 Sep 2007 10:11:20 GMT
	(envelope-from nobody)
Message-Id: <200709051011.l85ABKax081647@www.freebsd.org>
Date: Wed, 5 Sep 2007 10:11:20 GMT
From: Klavs Klavsen <klavs@EnableIT.dk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Bug in portaudit: it does not handle packagenames with ,
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         116115
>Category:       misc
>Synopsis:       Bug in portaudit: it does not handle packagenames with ,
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 05 10:20:01 GMT 2007
>Closed-Date:    Wed Sep 05 11:28:47 GMT 2007
>Last-Modified:  Wed Sep  5 11:30:07 GMT 2007
>Originator:     Klavs Klavsen
>Release:        FreeBSD-6.2
>Organization:
EnableIT
>Environment:
FreeBSD tomcat5-ny.telmore.dk 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386

>Description:
Hi guys,

I was just testing portaudit on FreeBSD 6.2.

I have mod_jk-1.2.19,1 installed.

a portaudit -Fda does not show it's vulnerable to anything.

However - it really is, and it's in the vulndb as well.

If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a)
says it's vulnerable.

So the conclusion is that portaudit's "version number" matching doesn't
seem to handle ,'s all that well.
>How-To-Repeat:
rename mod_jk to mod_jk-1.2.19,1 and see it NOT work. 
>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Wed Sep 5 11:28:46 UTC 2007 
State-Changed-Why:  
I fixed this some seconds ago in the Vuxml document. thank you for 
reporting! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116115 

From: Remko Lodder <remko@FreeBSD.org>
To: Klavs Klavsen <klavs@EnableIT.dk>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/116115: Bug in portaudit: it does not handle packagenames
 with	,
Date: Wed, 05 Sep 2007 13:26:24 +0200

 Klavs Klavsen wrote:
 >> Number:         116115
 >> Category:       misc
 >> Synopsis:       Bug in portaudit: it does not handle packagenames with ,
 >> Confidential:   no
 >> Severity:       critical
 >> Priority:       high
 >> Responsible:    freebsd-bugs
 >> State:          open
 >> Quarter:        
 >> Keywords:       
 >> Date-Required:
 >> Class:          sw-bug
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Wed Sep 05 10:20:01 GMT 2007
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Klavs Klavsen
 >> Release:        FreeBSD-6.2
 >> Organization:
 > EnableIT
 >> Environment:
 > FreeBSD tomcat5-ny.telmore.dk 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
 > 
 >> Description:
 > Hi guys,
 > 
 > I was just testing portaudit on FreeBSD 6.2.
 > 
 > I have mod_jk-1.2.19,1 installed.
 > 
 > a portaudit -Fda does not show it's vulnerable to anything.
 > 
 > However - it really is, and it's in the vulndb as well.
 > 
 > If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a)
 > says it's vulnerable.
 > 
 > So the conclusion is that portaudit's "version number" matching doesn't
 > seem to handle ,'s all that well.
 >> How-To-Repeat:
 > rename mod_jk to mod_jk-1.2.19,1 and see it NOT work. 
 >> Fix:
 > 
 > 
 
 Actually you are incorrect strictly seen. You are correct that there is
 a problem though :-). Portaudit handles the ,\d perfectly, though
 PORTEPOCH (as the ,\d is called) makes version handling very different.
 If a port has PORTEPOCH, this always is 'newer' then any other version
 available. This is to make sure we can rollback from newer version.
 
 I fixed this in the vuxml document seconds ago.
 
 Thanks for noting this!
 
 Cheers
 remko
 -- 
 Kind regards,
 
      Remko Lodder               ** remko@elvandar.org
      FreeBSD                    ** remko@FreeBSD.org
 
      /* Quis custodiet ipsos custodes */

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/116115: commit references a PR
Date: Wed,  5 Sep 2007 11:26:38 +0000 (UTC)

 remko       2007-09-05 11:26:32 UTC
 
   FreeBSD ports repository (src,doc committer)
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   Fix mod_jk's version since PORTEPOCH came into play.
   
   PR:             116115
   Reported by:    Klavs Klavsen <klavs at EnableIT dot dk>
   
   Revision  Changes    Path
   1.1412    +3 -2      ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
