On 2007.07.25 06:30:31 +0800, Xin LI wrote:
> Simon L. Nielsen wrote:
>> On 2007.07.24 14:17:07 +0000, Xin LI wrote:
>>> delphij     2007-07-24 14:17:07 UTC
>>> 
>>>   FreeBSD ports repository
>>> 
>>>   Modified files:
>>>     security/vuxml       vuln.xml   Log:
>>>   The previous vuxml entry applies to jakarta-tomcat 4.0.x as well, so 
>>> mark
>>>   it as affected as well.  Since there is no newer release I have used 
>>> 4.1.0
>>>   as the "fixed" version.
>> Has it actually been fixed in 4.1.0?  If not you should just not set a
>> top version to avoid a new release which actually doesn't fix the
>> issue being marked secure.
> 
> No.  The version is chosen because that 4.1.0 is greater than the possible 
> version (the port itself is 4.0.x).  Should there be a better way to 
> represent it, please feel free to commit a fix, thanks!

I just checked http://tomcat.apache.org/security-4.html - and from
reading that the fixes should be in 4.1.36 (even if that isn't in
ports), does that seem correct?  I never used tomcat so I don't know
if there I'm missing something.  If it is fixed in upstream 4.1.36 it
would be fine just to mark the vulnerability as fixed in 4.1.36, even
if that isn't in ports yet.

-- 
Simon L. Nielsen
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to