John Marino wrote in to mention that the list of latest vulnerabilities (see the right hand column of the Latest Vulnerabilities“>home page) indicates that x11/kdelibs3. While it is true that the vulnerability in question applies to kdelibs < 4.12.5_3, x11/kdelibs3 was removed from the FreeBSD ports tree on 26 Jul 2013.
Background
The list in question is generated each time a commit occurs to the security/vuxml/vuln.xml file. That script runs this query to get the list of affected ports:
SELECT DISTINCT
PA.category,
PA.name AS port,
coalesce(V.date_modified, V.date_entry, V.date_discovery) AS date,
V.vid,
to_char(coalesce(V.date_modified, V.date_entry, V.date_discovery)::date, 'Mon DD') AS date_formatted,
V.date_modified IS NULL AS new,
lower(name)
FROM commit_log_ports_vuxml CLPV, vuxml V, ports_all PA
WHERE CLPV.vuxml_id = V.id
AND CLPV.port_id = PA.id
ORDER BY coalesce(V.date_modified, V.date_entry, V.date_discovery) desc, lower(name)
LIMIT 15;
category | port | date | vid | date_formatted | new | lower
----------+-----------------+------------+--------------------------------------+----------------+-----+-----------------
games | chromium | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13 | t | chromium
www | chromium | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13 | t | chromium
www | serf | 2014-08-11 | 69048656-2187-11e4-802c-20cf30e32f6d | Aug 11 | t | serf
devel | subversion | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11 | t | subversion
devel | subversion17 | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11 | t | subversion17
www | nginx | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09 | t | nginx
www | nginx-devel | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09 | t | nginx-devel
devel | mingw32-openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06 | t | mingw32-openssl
security | openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06 | t | openssl
net | krfb | 2014-08-03 | be5421ab-1b56-11e4-a767-5453ed2e2b49 | Aug 03 | t | krfb
security | gpgme | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02 | t | gpgme
security | gpgme03 | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02 | t | gpgme03
net | samba4 | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02 | t | samba4
net | samba41 | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02 | t | samba41
x11 | kdelibs3 | 2014-07-31 | 2f90556f-18c6-11e4-9cc4-5453ed2e2b49 | Jul 31 | t | kdelibs3
(15 rows)
As you can see, there is no selection criteria with respect to the deleted status of the port.
It should be noted that ports_all is a view which includes all ports.
Let’s try ports_active
Let’s try the same query on the ports_active view which deals only with non-deleted ports.:
SELECT DISTINCT
PA.category,
PA.name AS port,
coalesce(V.date_modified, V.date_entry, V.date_discovery) AS date,
V.vid,
to_char(coalesce(V.date_modified, V.date_entry, V.date_discovery)::date, 'Mon DD') AS date_formatted,
V.date_modified IS NULL AS new,
lower(name)
FROM commit_log_ports_vuxml CLPV, vuxml V, ports_active PA
WHERE CLPV.vuxml_id = V.id
AND CLPV.port_id = PA.id
ORDER BY coalesce(V.date_modified, V.date_entry, V.date_discovery) desc, lower(name)
LIMIT 15;
category | port | date | vid | date_formatted | new | lower
----------+-----------------+------------+--------------------------------------+----------------+-----+-----------------
www | chromium | 2014-08-13 | df7754c0-2294-11e4-b505-000c6e25e3e9 | Aug 13 | t | chromium
www | serf | 2014-08-11 | 69048656-2187-11e4-802c-20cf30e32f6d | Aug 11 | t | serf
devel | subversion | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11 | t | subversion
devel | subversion17 | 2014-08-11 | 83a418cc-2182-11e4-802c-20cf30e32f6d | Aug 11 | t | subversion17
www | nginx | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09 | t | nginx
www | nginx-devel | 2014-08-09 | ad747a01-1fee-11e4-8ff1-f0def16c5c1b | Aug 09 | t | nginx-devel
devel | mingw32-openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06 | t | mingw32-openssl
security | openssl | 2014-08-06 | 8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | Aug 06 | t | openssl
net | krfb | 2014-08-03 | be5421ab-1b56-11e4-a767-5453ed2e2b49 | Aug 03 | t | krfb
security | gpgme | 2014-08-02 | 90ca3ba5-19e6-11e4-8616-001b3856973b | Aug 02 | t | gpgme
net | samba4 | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02 | t | samba4
net | samba41 | 2014-08-02 | 89ff45e3-1a57-11e4-bebd-000c2980a9f3 | Aug 02 | t | samba41
x11 | kdelibs4 | 2014-07-31 | 2f90556f-18c6-11e4-9cc4-5453ed2e2b49 | Jul 31 | t | kdelibs4
security | tor | 2014-07-30 | 31c09848-1829-11e4-bf04-60a44c524f57 | Jul 30 | t | tor
security | tor-devel | 2014-07-30 | 31c09848-1829-11e4-bf04-60a44c524f57 | Jul 30 | t | tor-devel
(15 rows)
You will see that much has changed. kdelibs4 is now listed, instead of kdelibs3, as well as tor and tor-devel. We have also dropped games/chromium, which was also a deleted port.
This is a simple change to make; the proverbial one-line-change.
I’ll wait for comment before I proceed, but this seems to be a change to make.
