From owner-cvs-ports@FreeBSD.ORG Thu Oct 5 07:36:05 2006 Return-Path: X-Original-To: cvs-ports@freebsd.org Delivered-To: cvs-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9A6616A47E for ; Thu, 5 Oct 2006 07:36:05 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8367743D70 for ; Thu, 5 Oct 2006 07:36:03 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so588219pye for ; Thu, 05 Oct 2006 00:36:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Ug2G7z17wA0YfZfYl1nJyZP7IhYmm9eS+3jywBcNrP4+TvMA33T+l3NCX+2uHJJ1u02z/ufTamftB1QWxatrAjPvOBloqevQaPhVz1JyzDt2k5P7z7yNlMsAZOyDLUAOkF5uCY45rrKwYpm+D4WLlsGP/u09+H57VrMLJF+48go= Received: by 10.35.111.7 with SMTP id o7mr2972600pym; Thu, 05 Oct 2006 00:36:02 -0700 (PDT) Received: by 10.35.119.12 with HTTP; Thu, 5 Oct 2006 00:36:02 -0700 (PDT) Message-ID: Date: Thu, 5 Oct 2006 11:36:02 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Vasil Dimov" In-Reply-To: <20061005055607.GB81754@qlovarnika.bg.datamax> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200610041710.k94HAkxJ011471@repoman.freebsd.org> <20061004185417.GC1008@zaphod.nitro.dk> <20061005055607.GB81754@qlovarnika.bg.datamax> X-Google-Sender-Auth: 7613fbf4ac725a6b Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, "Simon L. Nielsen" , ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: infofarmer@FreeBSD.org List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 07:36:05 -0000 On 10/5/06, Vasil Dimov wrote: > On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote: > > On 10/4/06, Simon L. Nielsen wrote: > > >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > > >> sat 2006-10-04 17:10:46 UTC > > >> > > >> FreeBSD ports repository > > >> > > >> Modified files: > > >> security/vuxml vuln.xml > > >> Log: > > >> - Document NULL byte injection vulnerability in phpbb > > >> > > >> Revision Changes Path > > >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml > > >[...] > > >> | > > >> | + > > >> | + phpbb -- NULL byte injection vulnerability > > >> | + > > >> | + > > >> | + phpbb > > >> | + zh-phpbb-tw > > >> | + 2.0.22 > > > > > >Where did you find info about this being fixed in 2.0.22? I couldn't > > >find it when checking the references and the phpbb web site. > > > > It seems I've been violating an extrapolation of your prior advice > > to use >0 when there's no fix. My rationale is to look at an advisory, > > it's credibility and publicity, look at the affected project and its > > history of fixing such advisories and draw a conclusion. > > > > Do I correctly understand that you assumed that the issue will be fixed > in 2.0.22 which is not yet released? > > This sounds totally bogus to me. > _Do not assume anything!_ This only makes sense if you've been tracking security issues closely for some time. I understand it does not appear very rational, so I'll stop doing this and fix this and some other advisories shortly. Thanks for your attention!