From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 17:58:58 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C55D16A4CE; Tue, 17 Aug 2004 17:58:58 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id D695843D53; Tue, 17 Aug 2004 17:58:57 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 5861454861; Tue, 17 Aug 2004 12:58:57 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BDD5A6D452; Tue, 17 Aug 2004 12:58:47 -0500 (CDT) Date: Tue, 17 Aug 2004 12:58:47 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040817175847.GC43426@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 17:58:58 -0000 [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on the other list knew where this went :-) ] On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > When you can live with the dummy text produced by my perl script > ("Please contact the FreeBSD Security Team for more information.") and > we can make the `discovered' entry optional, fine with me. I can write > a `make entry' perl script that parses a form an generates a template > entry, send-pr like. FWIW, this sounds fine by me, except about the part. I see your point about it though... it may be dangerous to have a bogus value (like the date of entry), because it may not get corrected later. But I don't want it optional, so that it is not forgotten. Perhaps we need the possiblity of marking something explicitly for such occassions ... In the mean time, could the date of entry be used? And perhaps a comment could be a workaround for now, something like 2004-08-17 Ugly, I know, but the current format wasn't made for works-in-progress. Maybe we can make some options for that... > >In place of arguing, start forging some code to check the base > >system against the security listings in vuln.xml. > > portaudit could easily do that. The only thing useful here would be to > use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can > I map the version numbers somehow? I added __FreeBSD_versions in the > last entry (multiple CVS vulnerabilities), but they are commented out > since I don't know what the right syntax is. By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm not entirely satisfied and I am open to suggestions. This part has been ill-specified. :-( Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org