> On 29 January 2016 at 10:59, Landry Breuil <lan...@rhaalovely.net> wrote: > Which means.. sevan, instead of dropping a cold list of 'boooh, ports > affected by cves found on the internet' (that's how i interpret your > mails titled "Vulnerable package in ports tree"), it would be great if > you could assess the severity of the 'vulnerabilities' and check if they > actually affect the version we have in ports. > > Yeah, i know, more homework, but in the end everyone wins :)
Apologies guys about the false alarm. I'm not just blindly matching CVE with package name which I draft into an email. For the qemu entry though the patch went in to the qemu tree early last year, the advisory was only published this month. Looking in cvsweb, though the affected file does include a patch in ports, the CVE referenced is not listed (I should've looked at patches not making any assumptions). What I'm saying is that I made a small effort, piled up on a couple of mistakes. Subversion I took a listing elsewhere as correct (everything before 1.9.3). Will try harder next time (earlier in the night as well). Sevan
