Not sure who to address this to, so hopefully someone more knowledgeable about vuxml can explain what needs to be fixed here.
https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html gives incorrect "affected packages" for the main `krb5` package: it claims that all versions < 1.20_1 are affected, but in fact the vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR x < 1.19. This means that if you have KRB5_VERSION=119 set in make.conf, you will get packages that are *not* vulnerable, but `pkg audit` will claim that they are. -GAWollman
