From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 20:01:32 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 123411065673; Thu, 20 Nov 2008 20:01:32 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6FF158FC14; Thu, 20 Nov 2008 20:01:31 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id C03D328448; Fri, 21 Nov 2008 04:01:29 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 6C844EB2DC2; Fri, 21 Nov 2008 04:01:29 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id Po3l-Inmsvwv; Fri, 21 Nov 2008 04:01:24 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 1B07AEB2C60; Fri, 21 Nov 2008 04:01:20 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=g3ubjmG7E/VSp04CAvJWAtJKiGvUv3/uek5IY6W1d98WM67MYZRN5WFifurWE/r6U PG3jSpYfa8W10QQXlGKog== Message-ID: <4925C20C.5020107@delphij.net> Date: Thu, 20 Nov 2008 12:01:16 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20080928) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <4924A53F.10400@delphij.net> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Stanislav Sedov , delphij@FreeBSD.ORG, Martin Wilke , d@delphij.net, freebsd-security@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 20:01:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Eygene, Eygene Ryabinkin wrote: > Xin, > > Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: >>> Thanks for handling this. But I have a question: what is the general >>> policy about versions that are to be documented within the 'range' >>> clauses? You had changed version specification to '1.1.4', but it was >>> never been in the FreeBSD ports tree. So, should we specify only >>> existing port versions or we can specify vendor-specific versions as >>> well, provided that the specification will be the same from the point of >>> view of the port version evolution? >> The '1.1.4' was chosen because that the official release notes said so, >> and it is the exact minimum version of the port, if it ever got into the >> tree. Personally I think it's a bad idea to cover versions that we are >> known not to be vulnerable, for instance, the user might be running >> 1.1.4 or 1.1.5 with their local patched versions and does not want to >> upgrade, making false positives would actually hurt the credibility of >> vuxml. > > OK, I expected such answer. But then, what you'll say after reading > the history of ports/128698: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698 > > I understand that the mentioned PR is the another case and there were no > vulnerable version in the official ports tree. But two PRs are a bit > inconsistent in their treatment of the locally patched versions, so I am > just curious -- may be there should be some general understanding about > this? > > Sorry for being so chatty, but I am just trying to understand the policy > and best practices for VuXML. Ok I understood what you mean. I have cc'ed miwi@ and stas@, it looks like that the PR 128698 should be committed and not be closed from my understanding, but that's my personal opinion. In my opinion, there is nothing wrong to inform our user community about a problem that may affect FreeBSD with the third party software. The concept of "we protect users who use official FreeBSD tree" is good, but the long freeze/slush time could cause users to derive their own variants to the tree, maybe by applying the patches in PR (that is usually seen in replies to -ports@) themselves. Moreover, I think it's wrong to close ticket 128698 if no update to 1.1.6 has been committed, because committer is a large team and this one should have followed the better safe than sorry rule. Now that the mail/dovecot has been updated to 1.1.6 and it's true that 1.1.5 and 1.1.4 (affected by 128698) never hit the tree. Because CVE-2008-4577 and CVE-2008-4578 affects only < 1.1.4 versions, it's wrong to document it as < 1.1.6. However, if the entry has been amended to cover CVE-2008-4907 as a multiple vulnerabilities issue for dovecot then I don't think covering < 1.1.6 would be a wrong thing to do. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklwf0ACgkQi+vbBBjt66Cf5ACeKxd7Kb8nwctJ5lVA2JoMUXH7 BRsAoLMZ56EQCpZ77u0cbbwVXu5u1NMa =PnV2 -----END PGP SIGNATURE-----