Sujet : Re: pkg/ports, pkg audit, and libxml2
De : wbe (at) *nospam* UBEBLOCK.psr.com.invalid (Winston)
Groupes : comp.unix.bsd.freebsd.miscDate : 17. Jun 2025, 01:38:20
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <ydo6unw6bn.fsf@UBEblock.psr.com>
References : 1 2
User-Agent : Gnus/5.13 (Gnus v5.13)
I previously wrote:
The links from 'pkg audit' to pages describing its issues
gave the version number required to resolve the issues.
to which Christian Weisgerber <
naddy@mips.inka.de> replied:
They do? All I see is that such-and-such version is affected.
but then added:
The vuxml entry has a <range> element, which typically just contains
a <lt> (less than), indicating that any version LESS THAN the given
FreeBSD package version is affected.
Yes, which I see as equivalent to "giving the version number required to
resolve the issues", since, as you say, it's '<', not '<='.
Sometimes people create the vuxml entry when they upgrade the port to
a version with a fix, sometimes they create the vuxml entry before a
fix is available.
[Leaving out a lot, rather than quoting it all ...]
OK, I think you've answered my original question: the vulnerability
description having a version number for the fix does NOT mean that said
fix is actually available yet -- it could be just the version number
that eventually will be used once the fix does become available.
Thanks,
-WBE
pkg/ports, pkg audit, and libxml2
Re: pkg/ports, pkg audit, and libxml2