Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Oct 2006 20:54:18 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Andrew Pantyukhin <sat@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/security/vuxml vuln.xml
Message-ID:  <20061004185417.GC1008@zaphod.nitro.dk>
In-Reply-To: <200610041710.k94HAkxJ011471@repoman.freebsd.org>
References:  <200610041710.k94HAkxJ011471@repoman.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> sat         2006-10-04 17:10:46 UTC
> 
>   FreeBSD ports repository
> 
>   Modified files:
>     security/vuxml       vuln.xml 
>   Log:
>   - Document NULL byte injection vulnerability in phpbb
>   
>   Revision  Changes    Path
>   1.1167    +40 -1     ports/security/vuxml/vuln.xml
[...]
> |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
> | +  <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> | +    <topic>phpbb -- NULL byte injection vulnerability</topic>
> | +    <affects>
> | +      <package>
> | +	<name>phpbb</name>
> | +	<name>zh-phpbb-tw</name>
> | +	<range><lt>2.0.22</lt></range>

Where did you find info about this being fixed in 2.0.22?  I couldn't
find it when checking the references and the phpbb web site.

> | +      </package>
> | +    </affects>
> | +    <description>
> | +      <body xmlns="http://www.w3.org/1999/xhtml">;
> | +	<p>Secunia reports:</p>

[Note that the next comment is general, not just to you]

I'm a bit concerned with the recent number of entries directly/only
quoting Secunia advisories.  It's OK to quote commercial
"re-advisories", IE. advisories which the security company are "just"
reporting of something found by a 3'rd party, some of the time, but
VuXML shouldn't turn into a advertising post for a company (or other
OS projects issuing advisories for that matter).

When possible the original report of the problem should be used, or
when that's not possible (e.g. in this case) new text can be written.

I know it's simpler just to copy/paste one of the "re-advisories", but
I would really prefer if it wasn't done as much.

On a related note, remember to double check references for the
"re-advisories" since they don't always get the details right.  E.g.
Security Focus's vulnerability database ("Bugtraq ID") very often
lists versions which are vulnerable as not, and the other way around.

-- 
Simon L. Nielsen
FreeBSD Security Team



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061004185417.GC1008>