From owner-freebsd-vuxml@FreeBSD.ORG Mon Mar 7 15:34:07 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3837B16A4CE; Mon, 7 Mar 2005 15:34:07 +0000 (GMT) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC7E143D4C; Mon, 7 Mar 2005 15:34:06 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: from beastie.frontfree.net (unknown [219.239.99.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 4A2C4EB09E0; Mon, 7 Mar 2005 23:34:03 +0800 (CST) Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 84823131EAA; Mon, 7 Mar 2005 23:31:09 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96667-16; Mon, 7 Mar 2005 23:30:56 +0800 (CST) Received: from localhost.localdomain (unknown [61.51.108.237]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id BCBFF131E68; Mon, 7 Mar 2005 23:30:54 +0800 (CST) From: Xin LI To: Kang Liu In-Reply-To: <310205489.09789@bjut.edu.cn> References: <310205489.09789@bjut.edu.cn> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0/dRYBxHvUV9XT2Vv7Vc" Organization: The FreeBSD Simplified Chinese Project Date: Mon, 07 Mar 2005 23:29:38 +0800 Message-Id: <1110209378.669.42.camel@spirit> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-vuxml@freebsd.org cc: delphij@freebsd.org Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: delphij@delphij.net List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 15:34:07 -0000 --=-0/dRYBxHvUV9XT2Vv7Vc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E5=9C=A8 2005-03-07=E4=B8=80=E7=9A=84 22:41 +0800=EF=BC=8CKang Liu=E5=86= =99=E9=81=93=EF=BC=9A > Hi, > The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be > wrong. I've told delphij (the submitter of that entry), while he said tha= t > date came from the original source. But, as we all know, 2005 is not leap > year, actually there is no Feb 29th 2005...I think it could be better if = we > change it to Feb 28th 2005. Thanks for noticing this. I'm aware of the issue, but it is the official version claims Feb 29th: http://216.127.76.78/~neosecur/index.php?pagina=3Dadvisories&id=3D8 And my letter has been bounced before I have decided to commit it as-is. I'm inclined in keeping it there until some of us can *actually* contact the author to confirm the discovery date. Replacing an official (while it appears to be wrong) date with a guessed value (we will never know if it is or is not wrong, and I personally infer it should be March 1st) is more or less pointless. BTW. What's your opinion about the fix? Without having a correct filtering of user input, one can launch XSS attacks which poses users in danger. Cheers, --=20 Xin LI http://www.delphij.net/ --=-0/dRYBxHvUV9XT2Vv7Vc Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCLHNi/cVsHxFZiIoRAoq+AJ47Jr1LioiHAAX4DLQjtlpj8ehc4QCfbpFO O+4PgQwVIknMeeX7Hmwpbb8= =dc2t -----END PGP SIGNATURE----- --=-0/dRYBxHvUV9XT2Vv7Vc--