From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 23:46:20 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58E681065677; Wed, 19 Nov 2008 23:46:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 002D18FC1A; Wed, 19 Nov 2008 23:46:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 242E128448; Thu, 20 Nov 2008 07:46:19 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id BF44DEB1833; Thu, 20 Nov 2008 07:46:18 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id GVJzApjzFLtd; Thu, 20 Nov 2008 07:46:14 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 81524EB17A9; Thu, 20 Nov 2008 07:46:11 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=puhEYWIekebmekCoY4gqEoSfLREjl8QkNZrWe7keJHPOZR97PElWEJyuZr+See82B KElPcMoy0UfQzQz6s6XNw== Message-ID: <4924A53F.10400@delphij.net> Date: Wed, 19 Nov 2008 15:46:07 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20080928) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 19 Nov 2008 23:49:53 +0000 Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 23:46:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Xin, good day. > > Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij@FreeBSD.org wrote: >> Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >> >> State-Changed-From-To: open->closed >> State-Changed-By: delphij >> State-Changed-When: Wed Nov 19 22:36:55 UTC 2008 >> State-Changed-Why: >> Committed with some changes, thanks! > > Thanks for handling this. But I have a question: what is the general > policy about versions that are to be documented within the 'range' > clauses? You had changed version specification to '1.1.4', but it was > never been in the FreeBSD ports tree. So, should we specify only > existing port versions or we can specify vendor-specific versions as > well, provided that the specification will be the same from the point of > view of the port version evolution? The '1.1.4' was chosen because that the official release notes said so, and it is the exact minimum version of the port, if it ever got into the tree. Personally I think it's a bad idea to cover versions that we are known not to be vulnerable, for instance, the user might be running 1.1.4 or 1.1.5 with their local patched versions and does not want to upgrade, making false positives would actually hurt the credibility of vuxml. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkpT8ACgkQi+vbBBjt66BfdQCgvaViet3vX/oDTITgj0nP099r yyIAn05iXdtYM0uU5oNBWBXcHEcHFFiF =T4Wi -----END PGP SIGNATURE-----