Quoth Harald <ha...@free.fr>: > On Sun, Aug 09, 2009 at 11:04:52PM +0100, Ben Morrow wrote: > > > I was about to say 'I believe the vuxml entry for firefox is incorrect', > > but I see it's been fixed. Neither 3.0.13 nor 3.5.2 are vulnerable, and > > vuxml now correctly reports this. > > Today security/vuxml/vuln.xml says: > > <affects> > <package> > <name>firefox</name> > <name>linux-firefox</name> > <range><lt>3.*,1</lt></range> > <range><gt>3.*,1</gt><lt>3.0.13,1</lt></range> > <range><gt>3.5.*,1</gt><lt>3.5.2,1</lt></range> > </package> > > 1. Could someone tell me the meaning of the ``*'' values please ? > I can't see the logic of the range lines.
3.* is the lowest possible version starting with '3.': in particular, it's less than 3.0 and less than 3.a . So the <lt>3.*,1</lt> will match anything less than firefox3. The next two lines deal with the specifics of which firefox3 versions are vulnerable. > 2. Yesterday I installed firefox quickly with ``pkg_add -r firefox3'' > and got firefox-3.0.10,1. > Portaudit declares it vulnerable which seems to correspond > to the second range line. > I guess I have to compile firefox3 to be clean ? 3.0.10,1 is vulnerable, yes. If there aren't packages for 3.0.13,1 yet you will need to compile it yourself. Ben _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"