security/openssl has know vulnerabilities?

[derekschrock]

Why does the current security/openssl report with known vulnerabilities?

From the following URL http://portaudit.freebsd.org/5c5f19ce-43af-11e1-89b4-001ec9578670.html

Affects:
    * openssl <1.0.0_9

then http://www.openssl.org/news/secadv_20120118.txt

Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t.

As of 01/22 6:02 EST security/openssl is downloading 1.0.0g from distinfo:

SHA256 (openssl-1.0.0g/openssl-1.0.0g.tar.gz) = 905106a1505e7d9f7c36ee81408d3aa3d41aac291a9603d0c290c9530c92fc2c

Is distinfo not a valid method to figure out what version the port uses or should the portaudit auditfile be "openssl<1.0.0_9" not "openssl<1.0.0g"?

 

[gessel]

Try updating the portaudit database

# portaudit -F

 

[derekschrock]

Yeah, last nights nightly portaudit run updated the db file. Looks like the line was changed to 1.0.0_9 from 1.0.0g. I can now update openssl without bsd.ports.mk stopping the build.