From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:06:14 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 442CC16A4CF; Tue, 17 Aug 2004 18:06:14 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC04D43D1F; Tue, 17 Aug 2004 18:06:13 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HI4k0l075887 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 14:04:47 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 14:05:21 -0400 From: Tom Rhodes To: "Jacques A. Vidrine" Message-Id: <20040817140521.1d0f252d@localhost> In-Reply-To: <20040817175847.GC43426@madman.celabo.org> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:06:14 -0000 On Tue, 17 Aug 2004 12:58:47 -0500 "Jacques A. Vidrine" wrote: > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > the other list knew where this went :-) ] NOTE: I am not subscribed to this list yet! I'm working on that right now! > > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > > When you can live with the dummy text produced by my perl script > > ("Please contact the FreeBSD Security Team for more information.") and > > we can make the `discovered' entry optional, fine with me. I can write > > a `make entry' perl script that parses a form an generates a template > > entry, send-pr like. > > FWIW, this sounds fine by me, except about the part. > I see your point about it though... it may be dangerous to have a > bogus value (like the date of entry), because it may not get corrected > later. But I don't want it optional, so that it is not forgotten. > Perhaps we need the possiblity of marking something explicitly > for such occassions ... > > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like > > 2004-08-17 > > Ugly, I know, but the current format wasn't made for > works-in-progress. Maybe we can make some options for that... How about N/A or "Unknown"? That shows that it needs corrected and that there is no problem. > > > >In place of arguing, start forging some code to check the base > > >system against the security listings in vuln.xml. > > > > portaudit could easily do that. The only thing useful here would be to > > use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can > > I map the version numbers somehow? I added __FreeBSD_versions in the > > last entry (multiple CVS vulnerabilities), but they are commented out > > since I don't know what the right syntax is. > > By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > not entirely satisfied and I am open to suggestions. This part has been > ill-specified. :-( Why not ident(1) on the specific files? A quick sh script could do this using variables parsed from VuXML entries. -- Tom Rhodes