Date: Wed, 4 Oct 2006 20:54:18 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Andrew Pantyukhin <sat@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <20061004185417.GC1008@zaphod.nitro.dk> In-Reply-To: <200610041710.k94HAkxJ011471@repoman.freebsd.org> References: <200610041710.k94HAkxJ011471@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > sat 2006-10-04 17:10:46 UTC > > FreeBSD ports repository > > Modified files: > security/vuxml vuln.xml > Log: > - Document NULL byte injection vulnerability in phpbb > > Revision Changes Path > 1.1167 +40 -1 ports/security/vuxml/vuln.xml [...] > | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292"> > | + <topic>phpbb -- NULL byte injection vulnerability</topic> > | + <affects> > | + <package> > | + <name>phpbb</name> > | + <name>zh-phpbb-tw</name> > | + <range><lt>2.0.22</lt></range> Where did you find info about this being fixed in 2.0.22? I couldn't find it when checking the references and the phpbb web site. > | + </package> > | + </affects> > | + <description> > | + <body xmlns="http://www.w3.org/1999/xhtml">; > | + <p>Secunia reports:</p> [Note that the next comment is general, not just to you] I'm a bit concerned with the recent number of entries directly/only quoting Secunia advisories. It's OK to quote commercial "re-advisories", IE. advisories which the security company are "just" reporting of something found by a 3'rd party, some of the time, but VuXML shouldn't turn into a advertising post for a company (or other OS projects issuing advisories for that matter). When possible the original report of the problem should be used, or when that's not possible (e.g. in this case) new text can be written. I know it's simpler just to copy/paste one of the "re-advisories", but I would really prefer if it wasn't done as much. On a related note, remember to double check references for the "re-advisories" since they don't always get the details right. E.g. Security Focus's vulnerability database ("Bugtraq ID") very often lists versions which are vulnerable as not, and the other way around. -- Simon L. Nielsen FreeBSD Security Team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061004185417.GC1008>