webkit2-gtk3 and ruby-2.5 vulnerabilities!

T

teo

In FreeBSD this detects the system as vulnerable, any ideas? The ports have been updated.


# pkg audit -F
Code: 
vulnxml file up-to-date
webkit2-gtk3-2.24.3_1 is vulnerable:
webkit2-gtk3 -- Multiple vulnerabilities
CVE: CVE-2019-8690
CVE: CVE-2019-8689
CVE: CVE-2019-8688
CVE: CVE-2019-8687
CVE: CVE-2019-8686
CVE: CVE-2019-8684
CVE: CVE-2019-8683
CVE: CVE-2019-8681
CVE: CVE-2019-8680
CVE: CVE-2019-8679
CVE: CVE-2019-8678
CVE: CVE-2019-8677
CVE: CVE-2019-8676
CVE: CVE-2019-8673
CVE: CVE-2019-8672
CVE: CVE-2019-8671
CVE: CVE-2019-8669
CVE: CVE-2019-8666
CVE: CVE-2019-8658
CVE: CVE-2019-8649
CVE: CVE-2019-8644
WWW: https://vuxml.FreeBSD.org/freebsd/e45c3669-caf2-11e9-851a-dcf3aaa3f3ff.html

ruby-2.5.5_3,1 is vulnerable:
RDoc -- multiple jQuery vulnerabilities
CVE: CVE-2015-9251
CVE: CVE-2012-6708
WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html

2 problem(s) in 2 installed package(s) found.
#

Trying to fix those vulnerabilities, and the system visualizes reinstalling the same version.
# portmaster webkit2-gtk3-2

Code: 
===>>> Currently installed version: webkit2-gtk3-2.24.3_1
===>>> Port directory: /usr/ports/www/webkit2-gtk3

===>>> Gathering distinfo list for installed ports
          ........................            ..........      .............
          ........................            ..........      .............
===>>> webkit2-gtk3-2.24.3_1 >> (43)

===>>> The following actions will be taken if you choose to proceed:
Re-install webkit2-gtk3-2.24.3_1
Install devel/bison
Install print/texinfo
Install converters/p5-Text-Unidecode
        ..................       .................      .................
        ..................       .................      .................

===>>> Proceed? y/n [y] n


===>>> If you would like to upgrade or install some, but not
all of the above try adding '-i' to the command line.
#
 
Hey,
I never used portmaster. But since your log shows "port directory: /usr/ports/...", you might have to update your ports tree first.
Code: 
portsnap fetch update
 
Elazar said:
Hey,
I never used portmaster. But since your log shows "port directory: /usr/ports/...", you might have to update your ports tree first.
Code: 
portsnap fetch update
Click to expand...

The first thing I did was to update the entire port collection tree.
 
I guess you have to wait until a newer version gets released.

2.24.3_1 is newest.

FreshPorts -- www/webkit2-gtk3: Opensource browser engine using the GTK 3 toolkit

WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. It offers WebKit's full functionality and is useful in a wide range of systems from desktop computers to...
www.freshports.org www.freshports.org
 
Elazar said:
I guess you have to wait until a newer version gets released.

2.24.3_1 is newest.

FreshPorts -- www/webkit2-gtk3: Opensource browser engine using the GTK 3 toolkit

WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. It offers WebKit's full functionality and is useful in a wide range of systems from desktop computers to...
www.freshports.org www.freshports.org
Click to expand...
Who will be responsible for keeping these two dependencies up to date?
 
pkg info webkit2-gtk3
pkg info ruby

Lookout for the keyword maintainer and write’em a kind¹ note.

¹The higher the kindness, the higher the probability of getting an answer.
 
In case you can’t or don’t want wait for the maintainers updating the ports:
# mkdir -p /root/ports/www
# cd /root/ports/www
# cp -r /usr/ports/www/webkit2-gtk3 webkit2-gtk3
# cd webkit2-gtk3
# sed -e "s|2.24.3|2.24.4|g" -i "" Makefile
# sed -e "s|libjavascriptcoregtk-4.0.so.18.13.6|libjavascriptcoregtk-4.0.so.18.13.7|g" -i "" pkg-plist
# sed -e "s|libwebkit2gtk-4.0.so.37.37.5|libwebkit2gtk-4.0.so.37.37.6|g" -i "" pkg-plist
# make makesum
# make
# make deinstall
# make install clean
# pkg delete ruby
 
You must log in or register to reply here.
Back
Top