Date: Sun, 19 Sep 2004 14:48:02 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges Message-ID: <406631FA4FA5D14563850431@nescarba.in.t-online.fr> In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] +-le 19/09/2004 08:38 -0400, Dan Langille écrivait : | On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: | |> +-le 18/09/2004 17:21 -0400, Dan Langille écrivait : |> | I'm having a quick look through vuln.xml: |> | |> | <range><ge>2.0</ge><lt>2.0.50_3</lt></range> |> | |> | Intuitively, that means you are vulnerable if you have versions >= |> | 2.0 or < 2.0.50_3. |> |> This one is an AND : VER > 2.0 AND VER < 2.0.50_3 | | If there are two operators in a range, it is an AND. The testing | values always goes before the supplied operator. Correct? | |> | Is that correct? Is that how to apply the rules. I found the DTD |> | confused me more than the examples did. |> | |> | This is an interesting example: |> | |> | <range><lt>1.1.2_1</lt></range> |> | <range><ge>2.0</ge></range> |> | |> | Two range statements in the same package... instead of one range with |> | two operators. Why? |> |> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 |> |> because the version can't be < 1.1.2_1 and > 2.0. | | If there are multiple ranges for a package within a vuln, they are | used to construct an OR. Actually, they could be applied separately | to test values separately (i.e. if one was processing this one row at | a time, you could just test the value and not worry about whether or | not the next row contained another range entry). | | Correct? Yes, I think this description is a bit too complicated. A <range>...</range> value defines a range of affected versions, and there can be multiple ranges for a package. But we're saying the same thing :-) -- Mathieu Arnold [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQU2ABlvROjYJ63c1AQK/PAf+KckpPbOVAH2TCqCg9sBQ8Hh3gF+1gS4B 3vCn1Cz38U2+KmpzyVkGFFLriHA/v1e+3l0aQRtPE10BNU7uP39owlOpwmA9gNSW M8G+sQ5k080vgnyv8JKQhrro8oa93scJyfe5tqMc5MfAnK+s4+a7O2gRaHZiS7HZ Xe+aZmLTWqPiLyNZ03pH0S1JQ2Q/Zf7MTHI7nP13i/4WE0fhUOfocNqVyZpr/ujo Co3fh5KZocfkibxRY+vYZkHGCjpws0sjlu5ZVj587ckb967Ae4mKh+uAK6bT0U7F OSDBHYtsGbSQP6MdbjOVNOggviRKqKNMxMFVHNosN2lPhzCUNg+zgQ== =9n+d -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?406631FA4FA5D14563850431>