Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Sep 2012 14:07:43 +0000
From:      Alexey Dokuchaev <danfe@FreeBSD.org>
To:        Eitan Adler <eadler@freebsd.org>
Cc:        svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org
Subject:   Re: svn commit: r304136 - head/security/vuxml
Message-ID:  <20120912140743.GA13202@FreeBSD.org>
In-Reply-To: <CAF6rxgmDxwQ0bWEGjX3wcHjoVPfdToi6zGux3LfGnV13eT41YQ@mail.gmail.com>
References:  <201209120731.q8C7VMJ4020038@svn.freebsd.org> <CAF6rxgmhw5n0yq54ZOVx%2BVicWP9t=26Jj%2BMQsaJFnnK0zgw79Q@mail.gmail.com> <20120912132700.GA6185@FreeBSD.org> <CAF6rxgmDxwQ0bWEGjX3wcHjoVPfdToi6zGux3LfGnV13eT41YQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 12, 2012 at 09:33:10AM -0400, Eitan Adler wrote:
> You can be patched against the first issue but still be vulnerable to
> the latter. One rule of thumb is if the version numbers differ between
> what was fixed it should be a separate VuXML.
> 
> VuXML doesn't track the underlying issue, it tracks what would helpful
> for sysadmins or desktop users.
> 
> Think about it this way:
> - User sees warning for vuxml vid N
> - User updates
> - A few days later user sees a warning for vid N again
> - User is confused

He should not be: vulnerability description was updated accordingly.  As for
version numbers, it should not be an issue since previously I was more
conservative and now the range(s) cover all the spectrum.  In fact, I would
be confused to see two very similar VuXML vids.

That said, if you still prefer to have two separate entries, let it be so,
I'll update it.

./danfe



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120912140743.GA13202>