Hi, Did you build your own ports where ruby 2.0 was default? I see the package name here is ruby-2.0.0.645,1, not ruby20-2.0.0.645,1. The entries in vuxml look like this:
3326 <name>ruby20</name> 3327 <range><lt>2.0.0.645,1</lt></range> ... 3330 <name>ruby</name> 3331 <range><lt>2.1.6,1</lt></range> So I think maybe it's matching the second entry and then looking for a ruby version 2.1.6,1 or newer. Not sure what the right solution is for this right now. Steve On Sun, Jun 21, 2015 at 08:43:33AM +0200, Ing. Břetislav Kubesa wrote: > Hi, > > already for longer time while updating to 2.0.0.645,1 version, I'm > getting message that it's vulnerable, but I think it's not the case as > vulnerable are ruby20 < 2.0.0.645,1 (but it's not ruby20 <= 2.0.0.645,1). > However I'm not sure where to report it for checking, so I hope it's the > right place here. > > Thank you. > > > ---> Upgrading 'ruby-2.0.0.643_1,1' to 'ruby-2.0.0.645,1' (lang/ruby20) > ---> Building '/usr/ports/lang/ruby20' > ===> Cleaning for ruby-2.0.0.645,1 > ===> ruby-2.0.0.645,1 has known vulnerabilities: > ruby-2.0.0.645,1 is vulnerable: > Ruby -- OpenSSL Hostname Verification Vulnerability > CVE: CVE-2015-1855 > WWW: > http://vuxml.FreeBSD.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html > > Best regards, > Bretislav Kubesa > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "[email protected]"
pgpm1JVhmKIiT.pgp
Description: PGP signature
