From owner-freebsd-vuxml@FreeBSD.ORG  Sat Sep 18 21:21:38 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89E0616A4CE
	for <freebsd-vuxml@freebsd.org>; Sat, 18 Sep 2004 21:21:38 +0000 (GMT)
Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5DBD043D1D
	for <freebsd-vuxml@freebsd.org>; Sat, 18 Sep 2004 21:21:38 +0000 (GMT)
	(envelope-from dan@langille.org)
Received: from wocker (wocker.unixathome.org [192.168.0.99])
	by bast.unixathome.org (Postfix) with ESMTP id 5407E3D3D
	for <freebsd-vuxml@freebsd.org>; Sat, 18 Sep 2004 17:21:37 -0400 (EDT)
From: "Dan Langille" <dan@langille.org>
To: freebsd-vuxml@freebsd.org
Date: Sat, 18 Sep 2004 17:21:37 -0400
MIME-Version: 1.0
Message-ID: <414C6EA1.25173.34BD6CDE@localhost>
Priority: normal
X-mailer: Pegasus Mail for Windows (v4.12a)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
Subject: confused by ranges
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 21:21:38 -0000

I'm having a quick look through vuln.xml:

        <range><ge>2.0</ge><lt>2.0.50_3</lt></range>

Intuitively, that means you are vulnerable if you have versions >= 
2.0 or < 2.0.50_3.

Is that correct?  Is that how to apply the rules. I found the DTD 
confused me more than the examples did.

This is an interesting example:

        <range><lt>1.1.2_1</lt></range>
        <range><ge>2.0</ge></range>

Two range statements in the same package... instead of one range with 
two operators.  Why?
-- 
Dan Langille : http://www.langille.org/
BSDCan - The Technical BSD Conference - http://www.bsdcan.org/