From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 00:44:05 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C5851065679; Thu, 20 Nov 2008 00:44:05 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DF3148FC1A; Thu, 20 Nov 2008 00:44:04 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=EEDPsF/eb5i0foVz6xZF4BJwmPoq1ETI38ZIpuaxHThR5qzLNvmnIHDgoPCQHOqNrfpdeK5h9btOccVdVgNYgve78QrB+fMKkMe/x5JUuMTUuobvA+1fOtR9zpLrI/e1PwH6xT95Cf7Uu/D5NPiNROi35b8dxfloYvv9lZivYqg=; Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2xeN-0002cM-KE; Thu, 20 Nov 2008 03:44:03 +0300 Date: Thu, 20 Nov 2008 03:44:01 +0300 From: Eygene Ryabinkin To: d@delphij.net Message-ID: References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <4924A53F.10400@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="t0UkRYy7tHLRMCai" Content-Disposition: inline In-Reply-To: <4924A53F.10400@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 00:44:05 -0000 --t0UkRYy7tHLRMCai Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Xin, Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: > > Thanks for handling this. But I have a question: what is the general > > policy about versions that are to be documented within the 'range' > > clauses? You had changed version specification to '1.1.4', but it was > > never been in the FreeBSD ports tree. So, should we specify only > > existing port versions or we can specify vendor-specific versions as > > well, provided that the specification will be the same from the point of > > view of the port version evolution? >=20 > The '1.1.4' was chosen because that the official release notes said so, > and it is the exact minimum version of the port, if it ever got into the > tree. Personally I think it's a bad idea to cover versions that we are > known not to be vulnerable, for instance, the user might be running > 1.1.4 or 1.1.5 with their local patched versions and does not want to > upgrade, making false positives would actually hurt the credibility of > vuxml. OK, I expected such answer. But then, what you'll say after reading the history of ports/128698: http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/128698 I understand that the mentioned PR is the another case and there were no vulnerable version in the official ports tree. But two PRs are a bit inconsistent in their treatment of the locally patched versions, so I am just curious -- may be there should be some general understanding about this? Sorry for being so chatty, but I am just trying to understand the policy and best practices for VuXML. Thanks! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --t0UkRYy7tHLRMCai Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkstEACgkQthUKNsbL7YhvuQCfUHVBnCe0qN0JrQO5yNFHEBvt H3AAoKyO9iAPwFF79gakg/OLNkMAZPw+ =FkyV -----END PGP SIGNATURE----- --t0UkRYy7tHLRMCai--