From owner-cvs-all@FreeBSD.ORG  Wed Oct  4 18:54:56 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9113C16A47C;
	Wed,  4 Oct 2006 18:54:56 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C7DC43DB5;
	Wed,  4 Oct 2006 18:54:19 +0000 (GMT)
	(envelope-from simon@zaphod.nitro.dk)
Received: from zaphod.nitro.dk (unknown [192.168.3.39])
	by mx.nitro.dk (Postfix) with ESMTP id 64AB72D4904;
	Wed,  4 Oct 2006 18:54:18 +0000 (UTC)
Received: by zaphod.nitro.dk (Postfix, from userid 3000)
	id 54CE011420; Wed,  4 Oct 2006 20:54:18 +0200 (CEST)
Date: Wed, 4 Oct 2006 20:54:18 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Andrew Pantyukhin <sat@FreeBSD.org>
Message-ID: <20061004185417.GC1008@zaphod.nitro.dk>
References: <200610041710.k94HAkxJ011471@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200610041710.k94HAkxJ011471@repoman.freebsd.org>
User-Agent: Mutt/1.5.11
Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject: Re: cvs commit: ports/security/vuxml vuln.xml
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2006 18:54:56 -0000

On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> sat         2006-10-04 17:10:46 UTC
> 
>   FreeBSD ports repository
> 
>   Modified files:
>     security/vuxml       vuln.xml 
>   Log:
>   - Document NULL byte injection vulnerability in phpbb
>   
>   Revision  Changes    Path
>   1.1167    +40 -1     ports/security/vuxml/vuln.xml
[...]
> |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> | +  <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> | +    <topic>phpbb -- NULL byte injection vulnerability</topic>
> | +    <affects>
> | +      <package>
> | +	<name>phpbb</name>
> | +	<name>zh-phpbb-tw</name>
> | +	<range><lt>2.0.22</lt></range>

Where did you find info about this being fixed in 2.0.22?  I couldn't
find it when checking the references and the phpbb web site.

> | +      </package>
> | +    </affects>
> | +    <description>
> | +      <body xmlns="http://www.w3.org/1999/xhtml">
> | +	<p>Secunia reports:</p>

[Note that the next comment is general, not just to you]

I'm a bit concerned with the recent number of entries directly/only
quoting Secunia advisories.  It's OK to quote commercial
"re-advisories", IE. advisories which the security company are "just"
reporting of something found by a 3'rd party, some of the time, but
VuXML shouldn't turn into a advertising post for a company (or other
OS projects issuing advisories for that matter).

When possible the original report of the problem should be used, or
when that's not possible (e.g. in this case) new text can be written.

I know it's simpler just to copy/paste one of the "re-advisories", but
I would really prefer if it wasn't done as much.

On a related note, remember to double check references for the
"re-advisories" since they don't always get the details right.  E.g.
Security Focus's vulnerability database ("Bugtraq ID") very often
lists versions which are vulnerable as not, and the other way around.

-- 
Simon L. Nielsen
FreeBSD Security Team