From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 12 14:23:32 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7D9516A4D0; Sun, 12 Sep 2004 14:23:32 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E7E743D41; Sun, 12 Sep 2004 14:23:32 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id B7E333D3D; Sun, 12 Sep 2004 10:23:31 -0400 (EDT) From: "Dan Langille" To: Jacques Vidrine Date: Sun, 12 Sep 2004 07:04:17 -0400 MIME-Version: 1.0 Message-ID: <4143F4F1.28264.13A20725@localhost> Priority: normal In-reply-to: <9E499E76-FAEC-11D8-84D2-000A95BC6FAE@FreeBSD.org> References: <7mk6vg2m15.wl@black.imgsrc.co.jp> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: vuln.xml *is* XML (was Re: vuln.xml is not XML) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2004 14:23:32 -0000 On 30 Aug 2004 at 20:25, Jacques Vidrine wrote: > AFAIK, XML::Node is based on XML::Parser which is based on expat. > expat supports namespaces perfectly well, so it is surprising if the > Perl modules built on top of it do not. The VuXML parsing script has been completed. The work was done by Matthew Seaman. Yesterday I finished adding database update code to his work. FreshPorts BETA now has VuXML data. The next step is is mark commits as related to to a VuXML entry and that will enable us to provide a link. An example can be found at http://beta.freshports.org/ftp/tnftpd/ We also have to get PORTEPOCH stored. -- Dan Langille : http://www.langille.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 17:33:25 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1503716A4CF for ; Mon, 13 Sep 2004 17:33:25 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC7CF43D31 for ; Mon, 13 Sep 2004 17:33:24 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id CC4B13D3D for ; Mon, 13 Sep 2004 13:33:22 -0400 (EDT) Date: Mon, 13 Sep 2004 13:33:22 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: freebsd-vuxml@freebsd.org Message-ID: <20040913123610.G22240@xeon.unixathome.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 17:33:25 -0000 I'm trying to match vuln.xml information against actual ports. To do this, I need to know how the entries in the field are derived. I first thought it might be PORTNAME. But that's not the case. I now think it might be ${PKGNAMEPREFIX}${PORTNAME}$. If am i correct, then I have some questions about the following entries. What ports do the following refer to? iaskmpd ImageMagick-nox11 ja-netscape7 libtool mod_php4-twig mpg123-esound mplayer-esound mplayer-gtk mplayer-gtk-esound mysql-client mysql-scripts mysql-server The answers may be obvious to the trained eye, but how does one write code against this? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 17:35:55 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51D7016A4CF for ; Mon, 13 Sep 2004 17:35:55 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2428C43D5C for ; Mon, 13 Sep 2004 17:35:55 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 3820F3D3D for ; Mon, 13 Sep 2004 13:35:53 -0400 (EDT) Date: Mon, 13 Sep 2004 13:35:53 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: freebsd-vuxml@freebsd.org In-Reply-To: <20040913123610.G22240@xeon.unixathome.org> Message-ID: <20040913133522.Y22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 17:35:55 -0000 On Mon, 13 Sep 2004, Dan Langille wrote: > I'm trying to match vuln.xml information against actual ports. To do > this, I need to know how the entries in the field are derived. > > I first thought it might be PORTNAME. But that's not the case. I now > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > If am i correct, then I have some questions about the following entries. > > What ports do the following refer to? > > iaskmpd > ImageMagick-nox11 > ja-netscape7 Please ignore ja-netscape7. I should have removed it from this list. Sorry. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 17:48:08 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87C2916A4CE for ; Mon, 13 Sep 2004 17:48:08 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03AFC43D31 for ; Mon, 13 Sep 2004 17:48:08 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 735F85487F; Mon, 13 Sep 2004 12:48:07 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 41215-08; Mon, 13 Sep 2004 12:47:56 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id ADDC25485D; Mon, 13 Sep 2004 12:47:56 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 67A5D6D465; Mon, 13 Sep 2004 12:47:48 -0500 (CDT) Date: Mon, 13 Sep 2004 12:47:48 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913174748.GC71191@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913123610.G22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 17:48:08 -0000 On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > I'm trying to match vuln.xml information against actual ports. To do > this, I need to know how the entries in the field are derived. > > I first thought it might be PORTNAME. But that's not the case. I now > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the version information. > If am i correct, then I have some questions about the following entries. > > What ports do the following refer to? > > iaskmpd security/isakmpd > ImageMagick-nox11 graphics/ImageMagick > ja-netscape7 japanese/netscape7 > libtool depends, could be devel/libtool13 or devel/libtool15, or even the no-longer-existent devel/libtool or devel/libtool14 > mod_php4-twig www/mod_php4-twig > mpg123-esound > mplayer-esound > mplayer-gtk > mplayer-gtk-esound multimedia/mplayer > mysql-client > mysql-scripts > mysql-server depends, could be any of the database/mysql*-(client|scripts|server) ports. > The answers may be obvious to the trained eye, but how does one write code > against this? Ports are re-named, moved, removed. I'm not sure that it can be done exactly other than by what I suggested previously: a database of the "history" of package names. IIRC, portupgrade uses ad hoc heuristics to guess the port origin from the package name, when the ORIGIN comment is not usable for some reason. The dichotomy of package name and port origin has always been a troublesome aspect of the FreeBSD Ports collection :-( Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 18:16:48 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BB9E16A4CE; Mon, 13 Sep 2004 18:16:48 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id F409143D49; Mon, 13 Sep 2004 18:16:47 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id D919B3D3D; Mon, 13 Sep 2004 14:16:37 -0400 (EDT) Date: Mon, 13 Sep 2004 14:16:37 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913174748.GC71191@madman.celabo.org> Message-ID: <20040913135431.F22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 18:16:48 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > I'm trying to match vuln.xml information against actual ports. To do > > this, I need to know how the entries in the field are derived. > > > > I first thought it might be PORTNAME. But that's not the case. I now > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > version information. > > > If am i correct, then I have some questions about the following entries. > > > > What ports do the following refer to? Jacques: Thanks for pointing out the ports I missed. I have snipped them from the discussion so we can concentrate on the others. > > ImageMagick-nox11 > graphics/ImageMagick I see ImageMagick in the names for this vuln. Where does ImageMagick-nox11 enter the picture? > > libtool > depends, could be devel/libtool13 or devel/libtool15, or even the > no-longer-existent devel/libtool or devel/libtool14 Looking at the data: libtool 1.31.3.5_2 1.41.4.3_3 1.51.5.2 I suggest we need three package entries to cover the various FreeBSD ports which have existed. Please see the mysql suggestion below for an example of what I mean. This URL shows the libtool ports in question. http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > mpg123-esound We have mpg123, but no mpg123-esound. I wonder where it comes from. > > mplayer-esound > > mplayer-gtk > > mplayer-gtk-esound > > multimedia/mplayer I don't know what to do about those. The vuln has an entry for mplayer, so we'll catch that on FreshPorts, but not the other tree. > > mysql-client > > mysql-scripts > > mysql-server > depends, could be any of the database/mysql*-(client|scripts|server) ports. FreshPorts, or any other code for that matter, has no way of knowing that port this vuln entry refers to. Intuitively, yes, we know it's going to be one of mysql323-client, ysql40-client, and mysql50-client. Yes, the range entries help human eyes: 4.14.1.3 55.0.0_2 I suggest we need two packages: mysql40-client 4.04.0.20 4.14.1.1_2 mysql50-client 5.05.0.0_2 Should the entry be modified to refer explicity to > > The answers may be obvious to the trained eye, but how does one write code > > against this? > > Ports are re-named, moved, removed. I'm not sure that it can be > done exactly other than by what I suggested previously: a database > of the "history" of package names. IIRC, portupgrade uses ad hoc > heuristics to guess the port origin from the package name, when the > ORIGIN comment is not usable for some reason. > > The dichotomy of package name and port origin has always been a > troublesome aspect of the FreeBSD Ports collection :-( Moving things around isn't so much of a problem. Locating them in the first place is the issue. Later moves are not a problem. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 18:36:48 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BD2516A4CE for ; Mon, 13 Sep 2004 18:36:48 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6970B43D1F for ; Mon, 13 Sep 2004 18:36:47 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id D73735485D; Mon, 13 Sep 2004 13:36:46 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 41717-07; Mon, 13 Sep 2004 13:36:35 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 8885354889; Mon, 13 Sep 2004 13:36:35 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 4DF956D466; Mon, 13 Sep 2004 13:36:27 -0500 (CDT) Date: Mon, 13 Sep 2004 13:36:27 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913183627.GG71191@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913135431.F22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 18:36:48 -0000 On Mon, Sep 13, 2004 at 02:16:37PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > > I'm trying to match vuln.xml information against actual ports. To do > > > this, I need to know how the entries in the field are derived. > > > > > > I first thought it might be PORTNAME. But that's not the case. I now > > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > > version information. > > > > > If am i correct, then I have some questions about the following entries. > > > > > > What ports do the following refer to? > > Jacques: Thanks for pointing out the ports I missed. I have snipped them > from the discussion so we can concentrate on the others. > > > > ImageMagick-nox11 > > graphics/ImageMagick > > I see ImageMagick in the names for this vuln. Where does > ImageMagick-nox11 enter the picture? Good point. ImageMagick-nox11 is probably also affected, and probably should also be listed. (I'll correct.) If one installs graphics/ImageMagick with the WITHOUT_X11 variable defined, then you get ImageMagick-nox11. > > > libtool > > depends, could be devel/libtool13 or devel/libtool15, or even the > > no-longer-existent devel/libtool or devel/libtool14 > > Looking at the data: > > > libtool > 1.31.3.5_2 > 1.41.4.3_3 > 1.51.5.2 > > > I suggest we need three package entries to cover the various FreeBSD ports > which have existed. Please see the mysql suggestion below for an example > of what I mean. It would not work, see below. > This URL shows the libtool ports in question. > > http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > > > > mpg123-esound > > We have mpg123, but no mpg123-esound. I wonder where it comes from. If you build mpg123 with Gnome, you get mpg123-esound. > > > mplayer-esound > > > mplayer-gtk > > > mplayer-gtk-esound > > > > multimedia/mplayer > > I don't know what to do about those. The vuln has an entry for mplayer, > so we'll catch that on FreshPorts, but not the other tree. Which is it? It seems that the s in ports/security/vuxml/vuln.xml related to mplayer each list all of these package names. > > > mysql-client > > > mysql-scripts > > > mysql-server > > depends, could be any of the database/mysql*-(client|scripts|server) ports. > > FreshPorts, or any other code for that matter, has no way > of knowing that port this vuln entry refers to. That's because there is no such thing as an affected "port", only an affected "package". > Intuitively, yes, we know it's going to be one of mysql323-client, > ysql40-client, and mysql50-client. > > Yes, the range entries help human eyes: > > 4.14.1.3 > 55.0.0_2 It is also used by any code that checks for vulnerable packages, such as portaudit or vxquery. > I suggest we need two packages: > > > mysql40-client > 4.04.0.20 > 4.14.1.1_2 > > > mysql50-client > 5.05.0.0_2 > > No, this would be wrong and would not match any packages ever installed by the FreeBSD Ports Collection. e.g. There is a package ``mysql-client-4.0.18_1'', but never has there been a package ``mysql40-client-4.0.18_1'' and there will never be. > Should the entry be modified to refer explicity to Something truncated here? > > > The answers may be obvious to the trained eye, but how does one write code > > > against this? > > > > Ports are re-named, moved, removed. I'm not sure that it can be > > done exactly other than by what I suggested previously: a database > > of the "history" of package names. IIRC, portupgrade uses ad hoc > > heuristics to guess the port origin from the package name, when the > > ORIGIN comment is not usable for some reason. > > > > The dichotomy of package name and port origin has always been a > > troublesome aspect of the FreeBSD Ports collection :-( > > Moving things around isn't so much of a problem. Locating them in the > first place is the issue. Later moves are not a problem. I'm not sure what you mean :-( Maybe you mean once you have the package names correlated to port names within FreshPorts, later moves will be "caught" automatically? Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 18:56:19 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0059E16A4CE; Mon, 13 Sep 2004 18:56:19 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5ADE943D1D; Mon, 13 Sep 2004 18:56:17 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id CFCD93D3D; Mon, 13 Sep 2004 14:56:10 -0400 (EDT) Date: Mon, 13 Sep 2004 14:56:10 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913183627.GG71191@madman.celabo.org> Message-ID: <20040913144103.U22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 18:56:19 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 02:16:37PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > > > I'm trying to match vuln.xml information against actual ports. To do > > > > this, I need to know how the entries in the field are derived. > > > > > > > > I first thought it might be PORTNAME. But that's not the case. I now > > > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > > > > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > > > > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > > > version information. > > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > Jacques: Thanks for pointing out the ports I missed. I have snipped them > > from the discussion so we can concentrate on the others. > > > > > > ImageMagick-nox11 > > > graphics/ImageMagick > > > > I see ImageMagick in the names for this vuln. Where does > > ImageMagick-nox11 enter the picture? > > Good point. ImageMagick-nox11 is probably also affected, and > probably should also be listed. (I'll correct.) If one installs > graphics/ImageMagick with the WITHOUT_X11 variable defined, then you > get ImageMagick-nox11. FreshPorts knows nothing about ImageMagick-nox11 because there is no such port. It knows only about ImageMagick, against which commits are made. Proposed approach for FreshPorts: I think FreshPorts will ignore package entries for which it cannot find a corresponding port. If all packages for a vuln fail to relate to a port, that will be something which justifies further investigation. > > > > libtool > > > depends, could be devel/libtool13 or devel/libtool15, or even the > > > no-longer-existent devel/libtool or devel/libtool14 > > > > Looking at the data: > > > > > > libtool > > 1.31.3.5_2 > > 1.41.4.3_3 > > 1.51.5.2 > > > > > > I suggest we need three package entries to cover the various FreeBSD ports > > which have existed. Please see the mysql suggestion below for an example > > of what I mean. > > It would not work, see below. Ahh, I understand now. Thanks. > > This URL shows the libtool ports in question. > > > > http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > > > > > > > mpg123-esound > > > > We have mpg123, but no mpg123-esound. I wonder where it comes from. > > If you build mpg123 with Gnome, you get mpg123-esound. Good. Then the proposal will hold up here. > > > > > mplayer-esound > > > > mplayer-gtk > > > > mplayer-gtk-esound > > > > > > multimedia/mplayer > > > > I don't know what to do about those. The vuln has an entry for mplayer, > > so we'll catch that on FreshPorts, but not the other tree. > > Which is it? It seems that the s in > ports/security/vuxml/vuln.xml related to mplayer each list all of these > package names. I found only one vuln. 5e7f58c3-b3f8-4258-aeb8-795e5e940ff8 And yes, it refers to all the above. This situation will resolve OK under the proposal. > > > > mysql-client > > > > mysql-scripts > > > > mysql-server > > > depends, could be any of the database/mysql*-(client|scripts|server) ports. > > > > FreshPorts, or any other code for that matter, has no way > > of knowing that port this vuln entry refers to. > > That's because there is no such thing as an affected "port", only an > affected "package". > > > Intuitively, yes, we know it's going to be one of mysql323-client, > > ysql40-client, and mysql50-client. > > > > Yes, the range entries help human eyes: > > > > 4.14.1.3 > > 55.0.0_2 > > It is also used by any code that checks for vulnerable packages, such > as portaudit or vxquery. Yep, I've had them in mind too, and was wondering how they did it. They have the advantage of a list of installed packages/ports. FreshPorts does not. I now think that's OK. > > I suggest we need two packages: > > > > > > mysql40-client > > 4.04.0.20 > > 4.14.1.1_2 > > > > > > mysql50-client > > 5.05.0.0_2 > > > > > > No, this would be wrong and would not match any packages ever > installed by the FreeBSD Ports Collection. e.g. There is a package > ``mysql-client-4.0.18_1'', but never has there been a package > ``mysql40-client-4.0.18_1'' and there will never be. Of course, yes. We're back to the basis of package name: ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} FreshPorts has never stored that information. I see now that it will have to. With luck, this information will be pretty static over the life of a port and everything will just fall into place with respect to historical entries. > > Should the entry be modified to refer explicity to > > Something truncated here? I think I started something, then went and added the above "I suggest we need two packages:" section and did not remove my uncompleted sentence. > > > > The answers may be obvious to the trained eye, but how does one write code > > > > against this? > > > > > > Ports are re-named, moved, removed. I'm not sure that it can be > > > done exactly other than by what I suggested previously: a database > > > of the "history" of package names. IIRC, portupgrade uses ad hoc > > > heuristics to guess the port origin from the package name, when the > > > ORIGIN comment is not usable for some reason. > > > > > > The dichotomy of package name and port origin has always been a > > > troublesome aspect of the FreeBSD Ports collection :-( > > > > Moving things around isn't so much of a problem. Locating them in the > > first place is the issue. Later moves are not a problem. > > I'm not sure what you mean :-( Maybe you mean once you have the package > names correlated to port names within FreshPorts, later moves will be > "caught" automatically? Yes. It's hard to phrase. For example, you can view deleted ports in FreshPorts, which will retain the history. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 19:05:29 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E79416A4CE for ; Mon, 13 Sep 2004 19:05:29 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 446B743D1F for ; Mon, 13 Sep 2004 19:05:29 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id B754854887; Mon, 13 Sep 2004 14:05:28 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 42182-01; Mon, 13 Sep 2004 14:05:18 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 06B7D5485D; Mon, 13 Sep 2004 14:05:18 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id C6D2B6D466; Mon, 13 Sep 2004 14:05:09 -0500 (CDT) Date: Mon, 13 Sep 2004 14:05:09 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913190509.GK71191@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> <20040913144103.U22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913144103.U22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 19:05:29 -0000 On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > port. It knows only about ImageMagick, against which commits are made. > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > entries for which it cannot find a corresponding port. If all packages > for a vuln fail to relate to a port, that will be something which > justifies further investigation. I think that is a reasonable approach. [...] > Yep, I've had them in mind too, and was wondering how they did it. They > have the advantage of a list of installed packages/ports. FreshPorts does > not. I now think that's OK. Right, they are looking either at already-installed packages, or perhaps at about-to-be-installed packages. In both cases, the actual package name is already available. [...] > FreshPorts has never stored that information. I see now that it will have > to. With luck, this information will be pretty static over the life of a > port and everything will just fall into place with respect to historical > entries. /me crosses fingers :-) [...] > > I'm not sure what you mean :-( Maybe you mean once you have the package > > names correlated to port names within FreshPorts, later moves will be > > "caught" automatically? > > Yes. It's hard to phrase. For example, you can view deleted ports in > FreshPorts, which will retain the history. OK, I think I follow. Thanks!! Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:21:03 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7313216A4CE; Mon, 13 Sep 2004 20:21:03 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 449E443D3F; Mon, 13 Sep 2004 20:21:03 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 0B40F3D3D; Mon, 13 Sep 2004 16:21:01 -0400 (EDT) Date: Mon, 13 Sep 2004 16:21:01 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913190509.GK71191@madman.celabo.org> Message-ID: <20040913160315.C22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913135431.F22240@xeon.unixathome.org> <20040913144103.U22240@xeon.unixathome.org> <20040913190509.GK71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:21:03 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > > port. It knows only about ImageMagick, against which commits are made. > > > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > > entries for which it cannot find a corresponding port. If all packages > > for a vuln fail to relate to a port, that will be something which > > justifies further investigation. > > I think that is a reasonable approach. FYI, I just realised that FreshPorts can only determine the ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} for existing ports. This will exclude ports which have been deleted. Those values aren't easy to grab. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:28:40 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C59C16A4CE for ; Mon, 13 Sep 2004 20:28:40 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DA0F43D1D for ; Mon, 13 Sep 2004 20:28:40 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 90F615486E; Mon, 13 Sep 2004 15:28:39 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 42824-05; Mon, 13 Sep 2004 15:28:29 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 03B7A54861; Mon, 13 Sep 2004 15:28:29 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id CF3AE6D465; Mon, 13 Sep 2004 15:28:20 -0500 (CDT) Date: Mon, 13 Sep 2004 15:28:20 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913202820.GC73780@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> <20040913144103.U22240@xeon.unixathome.org> <20040913190509.GK71191@madman.celabo.org> <20040913160315.C22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913160315.C22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Matching a name to a port X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:28:40 -0000 On Mon, Sep 13, 2004 at 04:21:01PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > > > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > > > port. It knows only about ImageMagick, against which commits are made. > > > > > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > > > entries for which it cannot find a corresponding port. If all packages > > > for a vuln fail to relate to a port, that will be something which > > > justifies further investigation. > > > > I think that is a reasonable approach. > > FYI, I just realised that FreshPorts can only determine the > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} for existing ports. This will > exclude ports which have been deleted. Those values aren't easy to grab. Right, thus my several allusions to a non-existent "package name history" database. :-) Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:43:32 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D9FD16A4CE; Mon, 13 Sep 2004 20:43:32 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id B61C443D58; Mon, 13 Sep 2004 20:43:31 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 5DDBC3D3D; Mon, 13 Sep 2004 16:43:25 -0400 (EDT) Date: Mon, 13 Sep 2004 16:43:25 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913174748.GC71191@madman.celabo.org> Message-ID: <20040913163933.O22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:43:32 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > If am i correct, then I have some questions about the following entries. > > > > What ports do the following refer to? > > > > iaskmpd > security/isakmpd I thought something was wrong there. Typo. The 2nd and 3rd letters are transposed: - iaskmpd + isakmpd -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:47:59 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D56A16A4CE for ; Mon, 13 Sep 2004 20:47:59 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0357343D58 for ; Mon, 13 Sep 2004 20:47:59 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 815D35486E; Mon, 13 Sep 2004 15:47:58 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 43049-01; Mon, 13 Sep 2004 15:47:47 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id D4AB05485D; Mon, 13 Sep 2004 15:47:47 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id A38FE6D465; Mon, 13 Sep 2004 15:47:39 -0500 (CDT) Date: Mon, 13 Sep 2004 15:47:39 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913204739.GT71191@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913163933.O22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:47:59 -0000 On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > If am i correct, then I have some questions about the following entries. > > > > > > What ports do the following refer to? > > > > > > iaskmpd > > security/isakmpd > > I thought something was wrong there. > > Typo. The 2nd and 3rd letters are transposed: > > - iaskmpd > + isakmpd Bwahahah Thanks for catching! Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:49:47 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7901B16A4CE; Mon, 13 Sep 2004 20:49:47 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AC5543D53; Mon, 13 Sep 2004 20:49:47 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 046AD3D3D; Mon, 13 Sep 2004 16:49:41 -0400 (EDT) Date: Mon, 13 Sep 2004 16:49:41 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913204739.GT71191@madman.celabo.org> Message-ID: <20040913164904.O22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:49:47 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > > > > > iaskmpd > > > security/isakmpd > > > > I thought something was wrong there. > > > > Typo. The 2nd and 3rd letters are transposed: > > > > - iaskmpd > > + isakmpd > > Bwahahah > Thanks for catching! The question is, how does portaudit know to report it? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 20:53:37 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 273BB16A4CE; Mon, 13 Sep 2004 20:53:37 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA5D443D41; Mon, 13 Sep 2004 20:53:36 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 19E5A3D3D; Mon, 13 Sep 2004 16:53:35 -0400 (EDT) Date: Mon, 13 Sep 2004 16:53:35 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20040913204739.GT71191@madman.celabo.org> Message-ID: <20040913165130.U22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 20:53:37 -0000 On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > > > > > iaskmpd > > > security/isakmpd > > > > I thought something was wrong there. > > > > Typo. The 2nd and 3rd letters are transposed: > > > > - iaskmpd > > + isakmpd > > Bwahahah > Thanks for catching! Oh, portaudit doesn't use vuxml. I see. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 13 21:37:16 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B26C216A4CF for ; Mon, 13 Sep 2004 21:37:16 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B24443D1D for ; Mon, 13 Sep 2004 21:37:16 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id EBF6C5486E; Mon, 13 Sep 2004 16:37:15 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 43480-06; Mon, 13 Sep 2004 16:37:05 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 516845485D; Mon, 13 Sep 2004 16:37:05 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 2A6EB6D466; Mon, 13 Sep 2004 16:36:57 -0500 (CDT) Date: Mon, 13 Sep 2004 16:36:57 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040913213657.GD79520@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> <20040913164904.O22240@xeon.unixathome.org> <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> <20040913165130.U22240@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040913164904.O22240@xeon.unixathome.org> <20040913165130.U22240@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 21:37:16 -0000 On Mon, Sep 13, 2004 at 04:53:35PM -0400, Dan Langille wrote: > Oh, portaudit doesn't use vuxml. I see. On Mon, Sep 13, 2004 at 04:49:41PM -0400, Dan Langille wrote: > The question is, how does portaudit know to report it? Portaudit *does* use VuXML, though it is not the sole source of information from which it pulls. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Sat Sep 18 21:21:38 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E0616A4CE for ; Sat, 18 Sep 2004 21:21:38 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DBD043D1D for ; Sat, 18 Sep 2004 21:21:38 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 5407E3D3D for ; Sat, 18 Sep 2004 17:21:37 -0400 (EDT) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Sat, 18 Sep 2004 17:21:37 -0400 MIME-Version: 1.0 Message-ID: <414C6EA1.25173.34BD6CDE@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 21:21:38 -0000 I'm having a quick look through vuln.xml: 2.02.0.50_3 Intuitively, that means you are vulnerable if you have versions >= 2.0 or < 2.0.50_3. Is that correct? Is that how to apply the rules. I found the DTD confused me more than the examples did. This is an interesting example: 1.1.2_1 2.0 Two range statements in the same package... instead of one range with two operators. Why? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/