Date: Thu, 5 Oct 2006 11:36:02 +0400 From: "Andrew Pantyukhin" <sat@FreeBSD.org> To: "Vasil Dimov" <vd@freebsd.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, "Simon L. Nielsen" <simon@freebsd.org>, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <cb5206420610050036hce062e0jf15f212fe9739b9a@mail.gmail.com> In-Reply-To: <20061005055607.GB81754@qlovarnika.bg.datamax> References: <200610041710.k94HAkxJ011471@repoman.freebsd.org> <20061004185417.GC1008@zaphod.nitro.dk> <cb5206420610042247h3bcb6454v7f9e50f2123e0879@mail.gmail.com> <20061005055607.GB81754@qlovarnika.bg.datamax>
index | next in thread | previous in thread | raw e-mail
On 10/5/06, Vasil Dimov <vd@freebsd.org> wrote: > On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote: > > On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote: > > >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > > >> sat 2006-10-04 17:10:46 UTC > > >> > > >> FreeBSD ports repository > > >> > > >> Modified files: > > >> security/vuxml vuln.xml > > >> Log: > > >> - Document NULL byte injection vulnerability in phpbb > > >> > > >> Revision Changes Path > > >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml > > >[...] > > >> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > > >> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292"> > > >> | + <topic>phpbb -- NULL byte injection vulnerability</topic> > > >> | + <affects> > > >> | + <package> > > >> | + <name>phpbb</name> > > >> | + <name>zh-phpbb-tw</name> > > >> | + <range><lt>2.0.22</lt></range> > > > > > >Where did you find info about this being fixed in 2.0.22? I couldn't > > >find it when checking the references and the phpbb web site. > > > > It seems I've been violating an extrapolation of your prior advice > > to use >0 when there's no fix. My rationale is to look at an advisory, > > it's credibility and publicity, look at the affected project and its > > history of fixing such advisories and draw a conclusion. > > > > Do I correctly understand that you assumed that the issue will be fixed > in 2.0.22 which is not yet released? > > This sounds totally bogus to me. > _Do not assume anything!_ This only makes sense if you've been tracking security issues closely for some time. I understand it does not appear very rational, so I'll stop doing this and fix this and some other advisories shortly. Thanks for your attention!home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420610050036hce062e0jf15f212fe9739b9a>