Greetings,
please see the attached commits I've made:
@Fernando:
- version ranges need to mention PORTEPOCH properly
- if you have a <ge> and <lt> tag for a limited "in between these
versions" range, be sure to put them in the same range, else we will end
up with two overlapping but open-ended ranges, effectively listing *all*
versions vulnerable
- remember to list linux/emulation ports, too
@Emulation:
- additional difficulty: linux-rl9-sqlite was merged into linux_base-rl9
which has its own Makefile.version for several packages, and one
upstream version, so we don't have an easy top-level version to look at.
I guess we'll resort to PORTREVISION. Please check if sqlite3 was
patched vs. earlier linux_base-rl9 versions for the relevant
vulnerability or if it is vulnerable in RockyLinux9 and adjust the
vuln/2025.xml version after the fix.
I've bluntly and summarily listed linux-c7 vulnerable, which has
3.7.17-whatever but is also EOL and shouldn't be used. I guess we
should strip it from the distro.
ALSO, I've seen several entries where the <gt> tag is off. Some are
right and mention <gt>1.2.3</gt> where a bug was introduced in 1.2.4,
some seem implausible (navidrome >0.55 -- 0.55 was a big refactoring so
is far more likely to have introduced bugs than a later version - we
needn't care though because another vulnerability with wider range of
affected versions overlaps the other vuln/2025.xml entry.).
Regards,
Matthias
--- Begin Message ---
The branch main has been updated by mandree:
URL:
https://cgit.FreeBSD.org/ports/commit/?id=7296fd2fe2b0415f31fe4b843f05b942ae8f9819
commit 7296fd2fe2b0415f31fe4b843f05b942ae8f9819
Author: Matthias Andree <[email protected]>
AuthorDate: 2025-08-01 09:41:36 +0000
Commit: Matthias Andree <[email protected]>
CommitDate: 2025-08-01 09:41:36 +0000
security/vuxml: clean up sqlite3 version range mess
Several sqlite3 entries mentioned wrong version ranges
with respect to PORTEPOCH and/or forgot the linux-*-sqlite
or, more recently, linux_base port.
While auditing this, I saw several implausible tags that used <gt>
(greater-than) in ranges where I believe that <ge> (greater-or-equal)
would be more adequate.
Add relevant reminders to vuxml's Makefile.
Fix up sqlite3's 2025 entries.
linux_base-rl9 currently ships 3.34.1-7.el9_3, see
emulators/linux_base-rl9/Makefile.version - I don't know if that's
vulnerable or was patched inside Rocky Linux, but let's err on the safe
side.
I'll leave it up to emulation@ to clean up this particular entry.
---
security/vuxml/Makefile | 12 ++++++++++++
security/vuxml/vuln/2024.xml | 7 ++++---
security/vuxml/vuln/2025.xml | 14 +++++++++++++-
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index 56af61aba418..9a3ef8b7a291 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -83,6 +83,10 @@ validate: tidy
return 1; \
fi
${PYTHON_CMD} ${FILESDIR}/extra-validation.py ${VUXML_FLAT_FILE}
+ @${ECHO_CMD}
+ @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and
remember possible linux-* ports!'
+ @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge>
where adequate.'
+ @${ECHO_CMD}
tidy: ${VUXML_FLAT_NAME}
@if [ ! -e ${LOCALBASE}/share/xml/dtd/vuxml/catalog.xml ]; \
@@ -93,7 +97,15 @@ tidy: ${VUXML_FLAT_NAME}
${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" >
"${VUXML_FILE}.tidy"
newentry:
+ @${ECHO_CMD}
+ @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and
remember possible linux-* ports!'
+ @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge>
where adequate.'
+ @${ECHO_CMD}
@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}"
"CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
+ @${ECHO_CMD}
+ @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and
remember possible linux-* ports!'
+ @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge>
where adequate.'
+ @${ECHO_CMD}
.if defined(VID) && !empty(VID)
html: work/${VID}.html
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index c824f0b19868..64f19bfb38aa 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -3668,15 +3668,15 @@
<affects>
<package>
<name>sqlite3</name>
- <range><ge>3.43.0</ge><lt>3.43.2,1</lt></range>
+ <range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
</package>
<package>
<name>linux-rl9-sqlite</name>
- <range><ge>3.43.0</ge><lt>3.43.2</lt></range>
+ <range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
</package>
<package>
<name>linux-c7-sqlite</name>
- <range><ge>3.43.0</ge><lt>3.43.2</lt></range>
+ <range><ge>3.43.0,1</ge><lt>3.43.2,1</lt></range>
</package>
</affects>
<description>
@@ -3698,6 +3698,7 @@
<dates>
<discovery>2024-01-16</discovery>
<entry>2024-09-29</entry>
+ <modified>2025-08-01</modified>
</dates>
</vuln>
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index b8d669821d8b..8f68010d3ba5 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -3,8 +3,10 @@
<affects>
<package>
<name>sqlite3</name>
- <range><gt>3.39.2</gt><lt>3.41.1</lt></range>
+ <range><ge>3.39.2,1</ge><lt>3.41.2,1</lt></range>
</package>
+ <!-- as of 2025-08-01, sqlite in -c7 is 3.7.17 and matched by the
<3.50.2 below,
+ and -rl9 aka linux_base ships 3.34.1 which is outside this range. -->
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml";>
@@ -26,6 +28,7 @@
<dates>
<discovery>2025-07-29</discovery>
<entry>2025-07-31</entry>
+ <modified>2025-08-01</modified>
</dates>
</vuln>
@@ -959,8 +962,16 @@
<affects>
<package>
<name>sqlite3</name>
+ <range><lt>3.50.2,1</lt></range>
+ </package>
+ <package>
+ <name>linux-c7-sqlite</name>
<range><lt>3.50.2</lt></range>
</package>
+ <package>
+ <name>linux_base</name>
+ <range><ge>0</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml";>
@@ -980,6 +991,7 @@
<dates>
<discovery>2025-07-15</discovery>
<entry>2025-07-23</entry>
+ <modified>2025-08-01</modified>
</dates>
</vuln>
--- End Message ---
--- Begin Message ---
The branch main has been updated by mandree:
URL:
https://cgit.FreeBSD.org/ports/commit/?id=180cc2bb44cd169e9beede3b86d8610086a845cf
commit 180cc2bb44cd169e9beede3b86d8610086a845cf
Author: Matthias Andree <[email protected]>
AuthorDate: 2025-08-01 09:42:48 +0000
Commit: Matthias Andree <[email protected]>
CommitDate: 2025-08-01 09:42:48 +0000
databases/sqlite3: Add reminder comment about linux ports
I saw several vuxml entries that lacked corresponding
linux-*-sqlite entries, or linux_base-rl9 these days (since June 2025).
Add a reminder comment near the PORTVERSION to remind people to
also add linux-*-sqlite VuXML entries as needed.
---
databases/sqlite3/Makefile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/databases/sqlite3/Makefile b/databases/sqlite3/Makefile
index 61ee2abfc839..0d66218dec05 100644
--- a/databases/sqlite3/Makefile
+++ b/databases/sqlite3/Makefile
@@ -1,5 +1,8 @@
PORTNAME= sqlite3
DISTVERSION= 3.50.2
+# SECURITY WARNING: when updating this port, also file vuxml entry
+# for ports/databases/linux-c7-sqlite3 (but mind it has a different EPOCH)
+# and coordinate with ports/emulators/linux_base which also ships sqlite3.
PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= databases
--- End Message ---
--- Begin Message ---
The branch main has been updated by mandree:
URL:
https://cgit.FreeBSD.org/ports/commit/?id=1ba883ceae271337ab4532efc4e2fb6096f5d628
commit 1ba883ceae271337ab4532efc4e2fb6096f5d628
Author: Matthias Andree <[email protected]>
AuthorDate: 2025-08-01 09:45:34 +0000
Commit: Matthias Andree <[email protected]>
CommitDate: 2025-08-01 09:45:34 +0000
security/vuxml: fixup linux_base -> linux_base-rl9
---
security/vuxml/vuln/2025.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 8f68010d3ba5..36d8905770c4 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -969,7 +969,7 @@
<range><lt>3.50.2</lt></range>
</package>
<package>
- <name>linux_base</name>
+ <name>linux_base-rl9</name>
<range><ge>0</ge></range>
</package>
</affects>
--- End Message ---
