Latest Vulnerabilities includes deleted ports

John Marino wrote in to mention that the list of latest vulnerabilities (see the right hand column of the Latest Vulnerabilities“>home page) indicates that x11/kdelibs3. While it is true that the vulnerability in question applies to kdelibs < 4.12.5_3, x11/kdelibs3 was removed from the FreeBSD ports tree on 26 Jul 2013.

Background

The list in question is generated each time a commit occurs to the security/vuxml/vuln.xml file. That script runs this query to get the list of affected ports:

SELECT DISTINCT
         PA.category,
         PA.name AS port,
         coalesce(V.date_modified, V.date_entry, V.date_discovery) AS date,
         V.vid,
         to_char(coalesce(V.date_modified, V.date_entry, V.date_discovery)::date, 'Mon DD') AS date_formatted,
         V.date_modified IS NULL AS new,
         lower(name)
    FROM commit_log_ports_vuxml CLPV, vuxml V, ports_all PA
   WHERE CLPV.vuxml_id = V.id
     AND CLPV.port_id  = PA.id
ORDER BY coalesce(V.date_modified, V.date_entry, V.date_discovery) desc, lower(name)
   LIMIT 15;

 category |      port       |    date    |                 vid                  | date_formatted | new |      lower
----------+-----------------+------------+--------------------------------------+----------------+-----+-----------------
 games    | chromium        | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13         | t   | chromium
 www      | chromium        | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13         | t   | chromium
 www      | serf            | 2014-08-11 | 69048656-2187-11e4-802c-20cf30e32f6d | Aug 11         | t   | serf
 devel    | subversion      | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11         | t   | subversion
 devel    | subversion17    | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11         | t   | subversion17
 www      | nginx           | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09         | t   | nginx
 www      | nginx-devel     | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09         | t   | nginx-devel
 devel    | mingw32-openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06         | t   | mingw32-openssl
 security | openssl         | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06         | t   | openssl
 net      | krfb            | 2014-08-03 | be5421ab-1b56-11e4-a767-5453ed2e2b49 | Aug 03         | t   | krfb
 security | gpgme           | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02         | t   | gpgme
 security | gpgme03         | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02         | t   | gpgme03
 net      | samba4          | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02         | t   | samba4
 net      | samba41         | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02         | t   | samba41
 x11      | kdelibs3        | 2014-07-31 | 2f90556f-18c6-11e4-9cc4-5453ed2e2b49 | Jul 31         | t   | kdelibs3
(15 rows)

As you can see, there is no selection criteria with respect to the deleted status of the port.

It should be noted that ports_all is a view which includes all ports.

Let’s try ports_active

Let’s try the same query on the ports_active view which deals only with non-deleted ports.:

SELECT DISTINCT
         PA.category,
         PA.name AS port,
         coalesce(V.date_modified, V.date_entry, V.date_discovery) AS date,
         V.vid,
         to_char(coalesce(V.date_modified, V.date_entry, V.date_discovery)::date, 'Mon DD') AS date_formatted,
         V.date_modified IS NULL AS new,
         lower(name)
    FROM commit_log_ports_vuxml CLPV, vuxml V, ports_active PA
   WHERE CLPV.vuxml_id = V.id
     AND CLPV.port_id  = PA.id
ORDER BY coalesce(V.date_modified, V.date_entry, V.date_discovery) desc, lower(name)
   LIMIT 15;

 category |      port       |    date    |                 vid                  | date_formatted | new |      lower
----------+-----------------+------------+--------------------------------------+----------------+-----+-----------------
 www      | chromium        | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13         | t   | chromium
 www      | serf            | 2014-08-11 | 69048656-2187-11e4-802c-20cf30e32f6d | Aug 11         | t   | serf
 devel    | subversion      | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11         | t   | subversion
 devel    | subversion17    | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11         | t   | subversion17
 www      | nginx           | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09         | t   | nginx
 www      | nginx-devel     | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09         | t   | nginx-devel
 devel    | mingw32-openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06         | t   | mingw32-openssl
 security | openssl         | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06         | t   | openssl
 net      | krfb            | 2014-08-03 | be5421ab-1b56-11e4-a767-5453ed2e2b49 | Aug 03         | t   | krfb
 security | gpgme           | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02         | t   | gpgme
 net      | samba4          | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02         | t   | samba4
 net      | samba41         | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02         | t   | samba41
 x11      | kdelibs4        | 2014-07-31 | 2f90556f-18c6-11e4-9cc4-5453ed2e2b49 | Jul 31         | t   | kdelibs4
 security | tor             | 2014-07-30 | 31c09848-1829-11e4-bf04-60a44c524f57 | Jul 30         | t   | tor
 security | tor-devel       | 2014-07-30 | 31c09848-1829-11e4-bf04-60a44c524f57 | Jul 30         | t   | tor-devel
(15 rows)

You will see that much has changed. kdelibs4 is now listed, instead of kdelibs3, as well as tor and tor-devel. We have also dropped games/chromium, which was also a deleted port.

This is a simple change to make; the proverbial one-line-change.

I’ll wait for comment before I proceed, but this seems to be a change to make.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top