On Mon, 13 Sep 2004, Jacques A. Vidrine wrote:

Jacques: Thanks for pointing out the ports I missed. I have snipped them from the discussion so we can concentrate on the others.

I see ImageMagick in the names for this vuln. Where does ImageMagick-nox11 enter the picture?

Looking at the data:

<package> <name>libtool</name> <range><ge>1.3</ge><lt>1.3.5_2</lt></range> <range><ge>1.4</ge><lt>1.4.3_3</lt></range> <range><ge>1.5</ge><lt>1.5.2</lt></range> </package>

I suggest we need three package entries to cover the various FreeBSD ports which have existed. Please see the mysql suggestion below for an example of what I mean.

This URL shows the libtool ports in question.

http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc

We have mpg123, but no mpg123-esound. I wonder where it comes from.

I don't know what to do about those. The vuln has an entry for mplayer, so we'll catch that on FreshPorts, but not the other tree.

FreshPorts, or any other code for that matter, has no way of knowing that port this vuln entry refers to. Intuitively, yes, we know it's going to be one of mysql323-client, ysql40-client, and mysql50-client.

Yes, the range entries help human eyes:

<range><ge>4.1</ge><lt>4.1.3</lt></range> <range><ge>5</ge><le>5.0.0_2</le></range>

I suggest we need two packages:

<package> <name>mysql40-client</name> <range><ge>4.0</ge><lt>4.0.20</lt></range> <range><ge>4.1</ge><lt>4.1.1_2</lt></range> </package> <package> <name>mysql50-client</name> <range><ge>5.0</ge><lt>5.0.0_2</lt></range> </package> </affects>

Should the entry be modified to refer explicity to

Moving things around isn't so much of a problem. Locating them in the first place is the issue. Later moves are not a problem.