From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:30:20 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EDD216A565; Tue, 17 Aug 2004 19:30:20 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE50D43D45; Tue, 17 Aug 2004 19:30:19 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10] helo=dhcp-11.local) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx9ey-000BlB-Vi; Tue, 17 Aug 2004 21:30:19 +0200 Date: Tue, 17 Aug 2004 21:32:05 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Pete Fritchman From: Oliver Eikemeier In-Reply-To: <20040817185332.2B91D1800A@sirius.firepipe.net> Message-Id: <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: "Jacques A. Vidrine" Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:30:20 -0000 Pete Fritchman wrote: > Perhaps you could use CVS revision IDs (with 'ident'). For example, > > /usr/bin/passwd: > $FreeBSD: src/usr.bin/passwd/passwd.c,v 1.16.2.1 2001/03/12 > 10:48:08 assar Exp $ > $FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.14.2.2 2004/02/22 > 11:28:06 charnier Exp $ > $FreeBSD: src/usr.sbin/vipw/pw_util.c,v 1.17.2.4 2002/09/04 > 15:28:10 des Exp $ > $FreeBSD: src/libexec/ypxfr/ypxfr_misc.c,v 1.9.2.2 2002/02/15 > 00:46:54 des Exp $ > $FreeBSD: src/include/rpcsvc/yp.x,v 1.12 1999/08/27 23:45:12 peter > Exp $ > $FreeBSD: src/include/rpcsvc/yppasswd.x,v 1.6 1999/08/27 23:45:12 > peter Exp $ > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > 1999/08/28 01:19:41 peter Exp $ > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > 1999/08/28 01:19:41 peter Exp $ > > If a security bug was fixed in passwd.c 1.16.3.1, you could point out > that > I'm vulnerable. Most of the security advisories include the revision > that > things were fixed in, so this shouldn't be too hard. Jacques doens't seem to like this: "Aaaaaahh!". I don't really care ident(1) is fine for me, and it seems like this is the only reliable indication. OTOH you'll need a couple of references (file, list of FreeBSD versions). Doable, so when no other ideas pop up we should do this. -Oliver