On Tue, May 12, 2026 at 12:05 PM Piotr Smyrak <[email protected]> wrote:
> On Tue, 12 May 2026 13:00:50 +0200 > Fernando Apesteguía <[email protected]> wrote: > > > On Tue, May 12, 2026 at 10:51 AM Ronald Klop <[email protected]> > > wrote: > > > > > Hi, > > > > > > Last entry is of yesterday. > > > > > > https://vuxml.freebsd.org/freebsd/ > > > > > > So I guess it is generated regularly. > > > > > > Regards, > > > Ronald. > > > > > > > > > > > > *Van:* Piotr Smyrak <[email protected]> > > > *Datum:* dinsdag, 12 mei 2026 10:31 > > > *Aan:* [email protected] > > > *Onderwerp:* expat2 2.8 vulnerability report > > > > > > Hello, > > > > > > The URL to expat2 vulnerability report regarding CVE-2026-45186 > > > returns 404 error: > > > > https://vuxml.freebsd.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html > > > > > > Is it expected and that page shall be generated soon, or some system > > > needs a nudge? > > > > > > > > It was pushed today: > > commit 9f22d11e50796885e308d61156253b9c29ffb3f6 > > Author: Thierry Thomas <[email protected]> > > Date: Tue May 12 00:09:38 2026 +0200 <-------- > > > > security/vuxml: adding an entry for expat > > > > See https://blog.hartwork.org/posts/expat-2-8-1-released/ > > and https://nvd.nist.gov/vuln/detail/CVE-2026-45186 > > > > Security: CVE-2026-45186 > > > > If you see entries by date: > > https://vuxml.freebsd.org/freebsd/index-date.html > > you'll see the most recent one is from yesterday (for appropriate > > values of "yesterday"). > > > > Give it some time. > > I have gathered the info needed from git-log, still I was wondering > whether something got stuck in process as it has not been published on > WWW, yet available through pkg-audit. > That's weird since pkg-audit should fetch the info from VULNXML_SITE which by default is https://vuxml.freebsd.org/freebsd/vuln.xml.xz $ fetch https://vuxml.freebsd.org/freebsd/vuln.xml.xz vuln.xml.xz 1203 kB 2595 kBps 00s $ unxz vuln.xml.xz $ grep -A10 -B10 CVE-2026-45186 vuln.xml <name>expat</name> <name>linux-c7-expat</name> <name>linux-rl9-expat</name> <range><lt>2.8.1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml";> <blockquote cite=" https://blog.hartwork.org/posts/expat-2-8-1-released/";> <p>Expat 2.8.1 was released yesterday. The key motivation for cutting a release and doing so now was:</p> <p>Fixing vulnerability CVE-2026-45186 that allows easy denial of service.</p> <p>See also https://github.com/libexpat/libexpat/pull/1216</p> </blockquote> </body> </description> <references> <cvename>CVE-2026-45186</cvename> <url>https://nvd.nist.gov/vuln/detail/CVE-2026-45186</url> </references> <dates> <discovery>2025-10-01</discovery> <entry>2026-05-11</entry> </dates> </vuln> Certainly the information is there, but the page is not rendering all the entries. It is probably a cron job that hasn't run yet. Cheers. > > Thanks guys, > -- > Piotr Smyrak >
