Vuxml URLs
1 view
Skip to first unread message
fatty.merc...@aceecat.org
May 12, 2026, 1:30:47 PM (yesterday) May 12
to ques...@freebsd.org
I run `pkg audit -F` daily from periodic; not the stock script for
this purpose but my own close adaptation. I can post the whole script
but it should not be necessary for this discussion.
Lately I found that the reference URL given for each newly found
vulnerability is almost never operative. Example today:
...
expat-2.7.5 is vulnerable:
Vulnerability found in Expat
CVE: CVE-2026-45186
WWW: https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
and browsing to the URL just gives me a "404".
I don't understand this. I could understand if there was a delay
between finding the vulnerability and putting the webpage up; but in
that case, would it not be better to not include the URL at all until
it is actually good to access?
--
Ian
this purpose but my own close adaptation. I can post the whole script
but it should not be necessary for this discussion.
Lately I found that the reference URL given for each newly found
vulnerability is almost never operative. Example today:
...
expat-2.7.5 is vulnerable:
Vulnerability found in Expat
CVE: CVE-2026-45186
WWW: https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
and browsing to the URL just gives me a "404".
I don't understand this. I could understand if there was a delay
between finding the vulnerability and putting the webpage up; but in
that case, would it not be better to not include the URL at all until
it is actually good to access?
--
Ian
Dag-Erling Smørgrav
May 12, 2026, 3:05:14 PM (24 hours ago) May 12
to ques...@freebsd.org
fatty.merc...@aceecat.org writes:
> Lately I found that the reference URL given for each newly found
> vulnerability is almost never operative. Example today:
>
> ...
>
> expat-2.7.5 is vulnerable:
> Vulnerability found in Expat
> CVE: CVE-2026-45186
> WWW: https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
>
> and browsing to the URL just gives me a "404".
This entry was added earlier today. The website has not been updated
> Lately I found that the reference URL given for each newly found
> vulnerability is almost never operative. Example today:
>
> ...
>
> expat-2.7.5 is vulnerable:
> Vulnerability found in Expat
> CVE: CVE-2026-45186
> WWW: https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
>
> and browsing to the URL just gives me a "404".
since 24c9096b86b0 on Sunday. Most likely, the service responsible for
updating it is down. I'll poke clusteradm.
DES
--
Dag-Erling Smørgrav - d...@FreeBSD.org
Philip Paeps
May 12, 2026, 7:47:33 PM (19 hours ago) May 12
to fatty.merc...@aceecat.org, ques...@freebsd.org
Where does vuxml.FreeBSD.org point you? Perhaps one of our mirrors
isn't working well. (Though we should have noticed.)
Philip
Dag-Erling Smørgrav
1:00 AM (14 hours ago) 1:00 AM
to Philip Paeps, fatty.merc...@aceecat.org, ques...@freebsd.org
Philip Paeps <phi...@freebsd.org> writes:
It works for me as well now but it didn't yesterday; it was stuck on
24c9096b86b0 from Sunday. Now it's stuck on 70439fe03243 which is about
18 hours old and 12 hours behind the most recent commit (894f968898e1).
894f968898e1 security/vuxml: Mark security/zeek < 8.0.8 as vulnerable as per:
6d0e297d8350 security/vuxml: Add dnsmasq vulnerabilities
70439fe03243 security/vuxml: Add prosody vulnerability
9f22d11e5079 security/vuxml: adding an entry for expat
260dc0d24d43 security/vuxml: Remove warning
0dc651fe0412 security/vuxml: add CVEs for Prosody advisory 2026-04-29
24c9096b86b0 security/vuxml: Document dash entry
> Where does vuxml.FreeBSD.org point you? Perhaps one of our mirrors
> isn't working well. (Though we should have noticed.)
For me, wfe0.sjb.freebsd.org (85.30.190.141) in Sweden.
> fatty.merc...@aceecat.org writes:
> > https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
> >
> > and browsing to the URL just gives me a "404".
> This link works here...
> > https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
> >
> > and browsing to the URL just gives me a "404".
It works for me as well now but it didn't yesterday; it was stuck on
24c9096b86b0 from Sunday. Now it's stuck on 70439fe03243 which is about
18 hours old and 12 hours behind the most recent commit (894f968898e1).
894f968898e1 security/vuxml: Mark security/zeek < 8.0.8 as vulnerable as per:
6d0e297d8350 security/vuxml: Add dnsmasq vulnerabilities
70439fe03243 security/vuxml: Add prosody vulnerability
9f22d11e5079 security/vuxml: adding an entry for expat
260dc0d24d43 security/vuxml: Remove warning
0dc651fe0412 security/vuxml: add CVEs for Prosody advisory 2026-04-29
24c9096b86b0 security/vuxml: Document dash entry
> Where does vuxml.FreeBSD.org point you? Perhaps one of our mirrors
> isn't working well. (Though we should have noticed.)
Philip Paeps
1:12 AM (14 hours ago) 1:12 AM
to Dag-Erling Smørgrav, fatty.merc...@aceecat.org, ques...@freebsd.org
On 2026-05-13 13:00:08 (+0800), Dag-Erling Smørgrav wrote:
> Philip Paeps <phi...@freebsd.org> writes:
>> fatty.merc...@aceecat.org writes:
>>> https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
>>>
>>> and browsing to the URL just gives me a "404".
>> This link works here...
>
> It works for me as well now but it didn't yesterday; it was stuck on
> 24c9096b86b0 from Sunday. Now it's stuck on 70439fe03243 which is
> about
> 18 hours old and 12 hours behind the most recent commit
> (894f968898e1).
Yeah. Something is stuck on the Chicago mirror. Thanks for reporting.
> Philip Paeps <phi...@freebsd.org> writes:
>> fatty.merc...@aceecat.org writes:
>>> https://vuxml.FreeBSD.org/freebsd/bacc1417-4d82-11f1-87f3-18dbf25a98c6.html
>>>
>>> and browsing to the URL just gives me a "404".
>> This link works here...
>
> It works for me as well now but it didn't yesterday; it was stuck on
> 24c9096b86b0 from Sunday. Now it's stuck on 70439fe03243 which is
> about
> 18 hours old and 12 hours behind the most recent commit
> (894f968898e1).
It looks like gitmir.chi is lagging but not enough for something to yell
about it.
Poking at this now.
Philip
Philip Paeps
1:28 AM (13 hours ago) 1:28 AM
to Dag-Erling Smørgrav, fatty.merc...@aceecat.org, ques...@freebsd.org
I'll keep an eye on this. I'm not sure what caused it to lag (and not
knowing annoys me).
Thanks for reporting.
Philip
Fernando Apesteguía
2:33 AM (12 hours ago) 2:33 AM
to Philip Paeps, Dag-Erling Smørgrav, fatty.merc...@aceecat.org, ques...@freebsd.org
Thank you.
The link also works for me.
Latest entries are:
| 2026-05-12 | postorius -- XSS |
| zeek -- potential DoS vulnerability |
Philip
fatty.merc...@aceecat.org
1:02 PM (2 hours ago) 1:02 PM
to ques...@freebsd.org
On Wed, May 13, 2026 at 07:47:16AM +0800, Philip Paeps wrote:
> > I don't understand this. I could understand if there was a delay
> > between finding the vulnerability and putting the webpage up; but in
> > that case, would it not be better to not include the URL at all until
> > it is actually good to access?
> This link works here...
> Where does vuxml.FreeBSD.org point you? Perhaps one of our mirrors isn't
> working well. (Though we should have noticed.)
It now lands on a 2xx for me, as well.
> > I don't understand this. I could understand if there was a delay
> > between finding the vulnerability and putting the webpage up; but in
> > that case, would it not be better to not include the URL at all until
> > it is actually good to access?
> This link works here...
> Where does vuxml.FreeBSD.org point you? Perhaps one of our mirrors isn't
> working well. (Though we should have noticed.)
14+0:~ $ host vuxml.freebsd.org
vuxml.freebsd.org is an alias for web.geo.freebsd.org.
web.geo.freebsd.org has address 192.184.138.215
web.geo.freebsd.org has IPv6 address 2001:5a8:601:4b::50:3
web.geo.freebsd.org mail is handled by 0 .
15+0:~ $ host 192.184.138.215
215.138.184.192.in-addr.arpa is an alias for 215.208-223.138.184.192.in-addr.arpa.
215.208-223.138.184.192.in-addr.arpa domain name pointer wfe0.son.freebsd.org.
I didn't know [smoke &] mirrors were involved; now it makes a bit more sense.
--
Ian
Reply all
Reply to author
Forward
0 new messages