pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ANN: Availability of pkg(8)-capable pkgsrc

On 11/12/2016 18:39, Sevan / Venture37 wrote:
On 13 November 2016 at 00:18, John Marino <> wrote:

The only thing I could ask the security team is to keep using
ranges and not regex.

Do you have an example entry of what you mean?

examples of ranges:
- bind99<9.9.9pl4 	denial-of-service
- mysql-client>5.7<5.7.16 	multiple-vulnerabilities

examples of non-standard entry:
- php{53,54,55}-soycms=<1.4.0c	cross-site-scripting
(=< instead of <=)

example of non-sense URL:
* sun-j{re,dk}14<2.18 multiple-vulnerabilities[3103-3115]
(vuxml was created to add 2 references which is totally normal)
(This is also an example of using curly brackets to create multiple packages per vulnerability, this is simple example).

extreme use of curly brackets:
* mysql-server-4.1.{0,1,2,3,4,5,6,7,8,9,10,11,12}{,nb*}
(that should be a range >=4.1.0<=4.1.12nb4)
(the nb numbers should reflect reality, not wildcards. Each one is a unique package identifier. I had to replace these wildcards with nb99 which is just a huge hack but I had no choice with this input)

more abuse:
* perl{,-thread}-5.8.{[0-4]{,nb*},5{,nb[1-7]},6{,nb[12]}}
* samba-3.0.[0-4]{,a*,nb?}

Most of these can be represented accurately with simple ranges or at worst multiple entries. That's what I mean.


This email has been checked for viruses by Avast antivirus software.

Home | Main Index | Thread Index | Old Index