Date: Sun, 19 Sep 2004 10:24:24 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges Message-ID: <20040919152424.GA16616@lum.celabo.org> In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> References: <414C6EA1.25173.34BD6CDE@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > I'm having a quick look through vuln.xml: > > <range><ge>2.0</ge><lt>2.0.50_3</lt></range> > > Intuitively, that means you are vulnerable if you have versions >= > 2.0 or < 2.0.50_3. Not quite. <range> elements specify version ranges (intervals). The snip above specifies x >= 2.0 AND x < 2.0.50_3 2.0 <= x < 2.0.50_3 [2.0, 2.0.50_3) All of these are acceptable means of expressing the same idea. I tend to visualize the middle one... and in fact that is how I render the ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). > Is that correct? Is that how to apply the rules. I found the DTD > confused me more than the examples did. Then perhaps I should add some more examples and work on the text description :-) > This is an interesting example: > > <range><lt>1.1.2_1</lt></range> > <range><ge>2.0</ge></range> > > Two range statements in the same package... instead of one range with > two operators. Why? Because they are two non-contiguous ranges and cannot be expressed by a single interval. The two are: x < 1.1.2_1 2.0 >= x or equivalently [0, 1.1.2_1) and [2.0, infinity). Hmm, re-reading what you wrote, it seems you want to think of it algorithmically. In that case, you could interpret each <range> element as containing expressions that should be ANDed (although the number and form of the expressions are constrained by the DTD), while multiple <range> elements in one <package> should be ORed. Hope this helps! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040919152424.GA16616>