Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Winston <wbe@UBEBLOCK.psr.com.invalid>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: pkg/ports, pkg audit, and libxml2
Date: Mon, 16 Jun 2025 20:38:20 -0400
Organization: A noiseless patient Spider
Lines: 29
Message-ID: <ydo6unw6bn.fsf@UBEblock.psr.com>
References: <ydwm9evsy6.fsf@UBEblock.psr.com>
	<slrn10504te.1p7b.naddy@lorvorc.mips.inka.de>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Tue, 17 Jun 2025 02:38:26 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="2f34a336931e0e2fbf4401fe0574e7b4";
	logging-data="2077316"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+5Ko3Uj7nMSFJ+QnXx3Cdz"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:LUl1ce8LbPiqeJioacPq+SnO4H8=
	sha1:LKdmO1vkZiiLkzRxx+R1nnUC4gw=
Mail-Copies-To: never

I previously wrote:
>> The links from 'pkg audit' to pages describing its issues
>> gave the version number required to resolve the issues.

to which Christian Weisgerber <naddy@mips.inka.de> replied:
> They do?  All I see is that such-and-such version is affected.

but then added:

> The vuxml entry has a <range> element, which typically just contains
> a <lt> (less than), indicating that any version LESS THAN the given
> FreeBSD package version is affected.

Yes, which I see as equivalent to "giving the version number required to
resolve the issues", since, as you say, it's '<', not '<='.

> Sometimes people create the vuxml entry when they upgrade the port to
> a version with a fix, sometimes they create the vuxml entry before a
> fix is available.

[Leaving out a lot, rather than quoting it all ...]

OK, I think you've answered my original question: the vulnerability
description having a version number for the fix does NOT mean that said
fix is actually available yet -- it could be just the version number
that eventually will be used once the fix does become available.

Thanks,
 -WBE