From owner-freebsd-vuxml@FreeBSD.ORG  Sun Sep 19 08:01:54 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 965F216A4CE
	for <freebsd-vuxml@freebsd.org>; Sun, 19 Sep 2004 08:01:54 +0000 (GMT)
Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6ED43D39
	for <freebsd-vuxml@freebsd.org>; Sun, 19 Sep 2004 08:01:54 +0000 (GMT)
	(envelope-from mat@FreeBSD.org)
Received: from nescarba.in.t-online.fr (nescarba.in.t-online.fr
	[213.44.126.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by plouf.absolight.net (Postfix) with ESMTP id 86828400B
	for <freebsd-vuxml@freebsd.org>;
	Sun, 19 Sep 2004 10:01:53 +0200 (CEST)
Date: Sun, 19 Sep 2004 10:02:37 +0200
From: Mathieu Arnold <mat@FreeBSD.org>
To: freebsd-vuxml@freebsd.org
Message-ID: <5127566408FEC0289696CC7A@nescarba.in.t-online.fr>
In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost>
References: <414C6EA1.25173.34BD6CDE@localhost>
X-Mailer: Mulberry/3.1.6 (Win32)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="==========0F38DDCE2B6CE880543A=========="
Subject: Re: confused by ranges
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2004 08:01:54 -0000

--==========0F38DDCE2B6CE880543A==========
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

+-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait :
| I'm having a quick look through vuln.xml:
|=20
|         <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
|=20
| Intuitively, that means you are vulnerable if you have versions >=3D=20
| 2.0 or < 2.0.50_3.

This one is an AND : VER > 2.0 AND VER < 2.0.50_3

| Is that correct?  Is that how to apply the rules. I found the DTD=20
| confused me more than the examples did.
|=20
| This is an interesting example:
|=20
|         <range><lt>1.1.2_1</lt></range>
|         <range><ge>2.0</ge></range>
|=20
| Two range statements in the same package... instead of one range with=20
| two operators.  Why?

This one is an OR, that is VER < 1.1.2_1 or VER > 2.0

because the version can't be < 1.1.2_1 and > 2.0.

--=20
Mathieu Arnold
--==========0F38DDCE2B6CE880543A==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iQEVAwUBQU09I1vROjYJ63c1AQJptQf/bneQ6dFzY9AAbp5EcJog6/fxhvmiMdov
AoDMaBmhxpdR0gtadJ/r/ZYwYQLxbGVWtU27Jy4D1l73T9ox/xeUoz0vNpMDuPgi
YjQy5Tc9YvsqW2nzCaggwac88eaj1c1HNQyP3SSbXnVZNaYN5Ase2bmcbG+mHq7f
wcEHsb3pr96IXT6CdMhWM9TClc+bo2yD6tBs7hE1bpIy4vb3wd8Z2aLZRjn/h53q
+cl2ujeSi7zVMcE3M9zHJn38R/1XkRxL3D75n9wRY6Xmyom7x59cVeJBdAx5ZqM+
SGtbcUIw/XMfAMrACq7AvoeQFvfcTBvA876K72abmCQCU51p4hdUUQ==
=4vzP
-----END PGP SIGNATURE-----

--==========0F38DDCE2B6CE880543A==========--