Date: Thu, 5 Oct 2006 09:47:40 +0400 From: "Andrew Pantyukhin" <sat@FreeBSD.org> To: "Simon L. Nielsen" <simon@freebsd.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <cb5206420610042247h3bcb6454v7f9e50f2123e0879@mail.gmail.com> In-Reply-To: <20061004185417.GC1008@zaphod.nitro.dk> References: <200610041710.k94HAkxJ011471@repoman.freebsd.org> <20061004185417.GC1008@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote: > On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > > sat 2006-10-04 17:10:46 UTC > > > > FreeBSD ports repository > > > > Modified files: > > security/vuxml vuln.xml > > Log: > > - Document NULL byte injection vulnerability in phpbb > > > > Revision Changes Path > > 1.1167 +40 -1 ports/security/vuxml/vuln.xml > [...] > > | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> > > | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292"> > > | + <topic>phpbb -- NULL byte injection vulnerability</topic> > > | + <affects> > > | + <package> > > | + <name>phpbb</name> > > | + <name>zh-phpbb-tw</name> > > | + <range><lt>2.0.22</lt></range> > > Where did you find info about this being fixed in 2.0.22? I couldn't > find it when checking the references and the phpbb web site. It seems I've been violating an extrapolation of your prior advice to use >0 when there's no fix. My rationale is to look at an advisory, it's credibility and publicity, look at the affected project and its history of fixing such advisories and draw a conclusion. I understand security implications of such premature conclusions, but in fact the probability of a mistake in such cases is comparable with that of marking a vulnerable port safe (also by mistake). If we're value every bit of security we can get, I should probably have stopped doing this already. Sorry. > > | + </package> > > | + </affects> > > | + <description> > > | + <body xmlns="http://www.w3.org/1999/xhtml"> > > | + <p>Secunia reports:</p> > > [Note that the next comment is general, not just to you] > > I'm a bit concerned with the recent number of entries directly/only > quoting Secunia advisories. It's OK to quote commercial > "re-advisories", IE. advisories which the security company are "just" > reporting of something found by a 3'rd party, some of the time, but > VuXML shouldn't turn into a advertising post for a company (or other > OS projects issuing advisories for that matter). > > When possible the original report of the problem should be used, or > when that's not possible (e.g. in this case) new text can be written. > > I know it's simpler just to copy/paste one of the "re-advisories", but > I would really prefer if it wasn't done as much. > > On a related note, remember to double check references for the > "re-advisories" since they don't always get the details right. E.g. > Security Focus's vulnerability database ("Bugtraq ID") very often > lists versions which are vulnerable as not, and the other way around. Secunia is a source of quite high quality, which does the job of summarizing a possibly very technical and obscure report into a concise and clear advisory. But I get your idea and will try to follow this piece of advice. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420610042247h3bcb6454v7f9e50f2123e0879>