Date: Sun, 19 Sep 2004 14:48:02 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges Message-ID: <406631FA4FA5D14563850431@nescarba.in.t-online.fr> In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========EFEFC4B06E2C85B6CD71========== Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline +-le 19/09/2004 08:38 -0400, Dan Langille =E9crivait : | On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: |=20 |> +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : |> | I'm having a quick look through vuln.xml: |> |=20 |> | <range><ge>2.0</ge><lt>2.0.50_3</lt></range> |> |=20 |> | Intuitively, that means you are vulnerable if you have versions >=3D=20 |> | 2.0 or < 2.0.50_3. |>=20 |> This one is an AND : VER > 2.0 AND VER < 2.0.50_3 |=20 | If there are two operators in a range, it is an AND. The testing=20 | values always goes before the supplied operator. Correct? |=20 |> | Is that correct? Is that how to apply the rules. I found the DTD=20 |> | confused me more than the examples did. |> |=20 |> | This is an interesting example: |> |=20 |> | <range><lt>1.1.2_1</lt></range> |> | <range><ge>2.0</ge></range> |> |=20 |> | Two range statements in the same package... instead of one range with=20 |> | two operators. Why? |>=20 |> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 |>=20 |> because the version can't be < 1.1.2_1 and > 2.0. |=20 | If there are multiple ranges for a package within a vuln, they are=20 | used to construct an OR. Actually, they could be applied separately=20 | to test values separately (i.e. if one was processing this one row at=20 | a time, you could just test the value and not worry about whether or=20 | not the next row contained another range entry). |=20 | Correct? Yes, I think this description is a bit too complicated. A <range>...</range> value defines a range of affected versions, and there can be multiple ranges for a package. But we're saying the same thing :-) --=20 Mathieu Arnold --==========EFEFC4B06E2C85B6CD71========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQU2ABlvROjYJ63c1AQK/PAf+KckpPbOVAH2TCqCg9sBQ8Hh3gF+1gS4B 3vCn1Cz38U2+KmpzyVkGFFLriHA/v1e+3l0aQRtPE10BNU7uP39owlOpwmA9gNSW M8G+sQ5k080vgnyv8JKQhrro8oa93scJyfe5tqMc5MfAnK+s4+a7O2gRaHZiS7HZ Xe+aZmLTWqPiLyNZ03pH0S1JQ2Q/Zf7MTHI7nP13i/4WE0fhUOfocNqVyZpr/ujo Co3fh5KZocfkibxRY+vYZkHGCjpws0sjlu5ZVj587ckb967Ae4mKh+uAK6bT0U7F OSDBHYtsGbSQP6MdbjOVNOggviRKqKNMxMFVHNosN2lPhzCUNg+zgQ== =9n+d -----END PGP SIGNATURE----- --==========EFEFC4B06E2C85B6CD71==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?406631FA4FA5D14563850431>