From owner-cvs-all@FreeBSD.ORG  Thu Oct  5 05:47:47 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@freebsd.org
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4617916A4A7
	for <cvs-all@freebsd.org>; Thu,  5 Oct 2006 05:47:47 +0000 (UTC)
	(envelope-from infofarmer@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 39DE443D78
	for <cvs-all@freebsd.org>; Thu,  5 Oct 2006 05:47:41 +0000 (GMT)
	(envelope-from infofarmer@gmail.com)
Received: by py-out-1112.google.com with SMTP id o67so553547pye
	for <cvs-all@freebsd.org>; Wed, 04 Oct 2006 22:47:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
	b=cd5ARv7uLufcV4RPVrx7zs4kc7paC/eb9+raZXuXLVntYHRndhGijxBzdt4/4OPybhA3I8Nf2OHgj02XGbgpzlHgH7uFelXGJkuCwP4HXRe3AFOJkcZA1UmI2q8Na9dfDh19ZZUtDIGH+Bm15b+vtVArdznfz8qNdM8Sb07gH8c=
Received: by 10.35.93.15 with SMTP id v15mr2809287pyl;
	Wed, 04 Oct 2006 22:47:41 -0700 (PDT)
Received: by 10.35.119.12 with HTTP; Wed, 4 Oct 2006 22:47:40 -0700 (PDT)
Message-ID: <cb5206420610042247h3bcb6454v7f9e50f2123e0879@mail.gmail.com>
Date: Thu, 5 Oct 2006 09:47:40 +0400
From: "Andrew Pantyukhin" <sat@FreeBSD.org>
Sender: infofarmer@gmail.com
To: "Simon L. Nielsen" <simon@freebsd.org>
In-Reply-To: <20061004185417.GC1008@zaphod.nitro.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <200610041710.k94HAkxJ011471@repoman.freebsd.org>
	<20061004185417.GC1008@zaphod.nitro.dk>
X-Google-Sender-Auth: a67a1d6d28b548d4
Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org
Subject: Re: cvs commit: ports/security/vuxml vuln.xml
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: infofarmer@FreeBSD.org
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2006 05:47:47 -0000

On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote:
> On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> > sat         2006-10-04 17:10:46 UTC
> >
> >   FreeBSD ports repository
> >
> >   Modified files:
> >     security/vuxml       vuln.xml
> >   Log:
> >   - Document NULL byte injection vulnerability in phpbb
> >
> >   Revision  Changes    Path
> >   1.1167    +40 -1     ports/security/vuxml/vuln.xml
> [...]
> > |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > | +  <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> > | +    <topic>phpbb -- NULL byte injection vulnerability</topic>
> > | +    <affects>
> > | +      <package>
> > | +   <name>phpbb</name>
> > | +   <name>zh-phpbb-tw</name>
> > | +   <range><lt>2.0.22</lt></range>
>
> Where did you find info about this being fixed in 2.0.22?  I couldn't
> find it when checking the references and the phpbb web site.

It seems I've been violating an extrapolation of your prior advice
to use >0 when there's no fix. My rationale is to look at an advisory,
it's credibility and publicity, look at the affected project and its
history of fixing such advisories and draw a conclusion.

I understand security implications of such premature conclusions,
but in fact the probability of a mistake in such cases is comparable
with that of marking a vulnerable port safe (also by mistake). If we're
value every bit of security we can get, I should probably have
stopped doing this already. Sorry.

> > | +      </package>
> > | +    </affects>
> > | +    <description>
> > | +      <body xmlns="http://www.w3.org/1999/xhtml">
> > | +   <p>Secunia reports:</p>
>
> [Note that the next comment is general, not just to you]
>
> I'm a bit concerned with the recent number of entries directly/only
> quoting Secunia advisories.  It's OK to quote commercial
> "re-advisories", IE. advisories which the security company are "just"
> reporting of something found by a 3'rd party, some of the time, but
> VuXML shouldn't turn into a advertising post for a company (or other
> OS projects issuing advisories for that matter).
>
> When possible the original report of the problem should be used, or
> when that's not possible (e.g. in this case) new text can be written.
>
> I know it's simpler just to copy/paste one of the "re-advisories", but
> I would really prefer if it wasn't done as much.
>
> On a related note, remember to double check references for the
> "re-advisories" since they don't always get the details right.  E.g.
> Security Focus's vulnerability database ("Bugtraq ID") very often
> lists versions which are vulnerable as not, and the other way around.

Secunia is a source of quite high quality, which does the job
of summarizing a possibly very technical and obscure report
into a concise and clear advisory. But I get your idea and will
try to follow this piece of advice.

Thanks!