From owner-freebsd-security@FreeBSD.ORG  Tue Nov 18 12:37:11 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 776F01065677
	for <freebsd-security@freebsd.org>;
	Tue, 18 Nov 2008 12:37:11 +0000 (UTC) (envelope-from jille@quis.cx)
Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14])
	by mx1.freebsd.org (Postfix) with ESMTP id EF9238FC16
	for <freebsd-security@freebsd.org>;
	Tue, 18 Nov 2008 12:37:10 +0000 (UTC) (envelope-from jille@quis.cx)
X-Hexon-MailScanner-Watermark: 1227616621.76386@zMOkMo5tjClH51cgrDzvqg
Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0)
	by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id mAICaxPR021076;
	Tue, 18 Nov 2008 13:36:59 +0100
Message-ID: <4922B6F9.2000408@quis.cx>
Date: Tue, 18 Nov 2008 13:37:13 +0100
From: Jille Timmermans <jille@quis.cx>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
References: <20081118103433.38D5817115@shadow.codelabs.ru>	<4922B371.6070002@quis.cx>
	<TqoTo5jliabZzOUld/zrRy5vtzI@+C9avPjAe6kfv7rH+xyHzR2RFw8>
In-Reply-To: <TqoTo5jliabZzOUld/zrRy5vtzI@+C9avPjAe6kfv7rH+xyHzR2RFw8>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Hexon-MailScanner-Information: Please contact the ISP for more information
X-Hexon-MailScanner-ID: mAICaxPR021076
X-Hexon-MailScanner: Found to be clean
X-Hexon-MailScanner-From: jille@quis.cx
Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2008 12:37:11 -0000

Good day to you too,

"PHP 5.2 through 5.2.6" makes the most sense.
However, "PHP 5.1 through" or even "PHP 5 through" are also possible.
I don't know much about CVE's; can we provide them feedback for this typo ?

I think the best is to wait for the CVE to get fixed and fix it in the vuxml entry afterwards.
I think you also had that plan ;)

-- Jille


Eygene Ryabinkin wrote:
> Jille, good day.
>
> Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote:
>   
>> I think there is a typo in the vuxml descriptions:
>>  "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6"
>> (PHP 5.6 doesn't exist (yet))
>>     
>
> Yes: it was written in that way at the CVE entry.  I had spotted this,
> but was not sure how to handle this.  Perhaps VuXML entry should really
> say "PHP 5.2 through 5.2.6" to avoid reader's confusion.
>
> Thanks for spotting this!
>