From owner-cvs-all@FreeBSD.ORG Tue Nov 14 21:04:00 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 957AF16A416; Tue, 14 Nov 2006 21:04:00 +0000 (UTC) (envelope-from thierry@pompo.net) Received: from graf.pompo.net (graf.pompo.net [81.56.186.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3343DB1; Tue, 14 Nov 2006 21:02:40 +0000 (GMT) (envelope-from thierry@pompo.net) Received: by graf.pompo.net (Postfix, from userid 1001) id 330F511444; Tue, 14 Nov 2006 22:02:28 +0100 (CET) Date: Tue, 14 Nov 2006 22:02:28 +0100 From: Thierry Thomas To: Remko Lodder Message-ID: <20061114210228.GM24429@graf.pompo.net> Mail-Followup-To: Remko Lodder , "Simon L. Nielsen" , Xin LI , cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org References: <200611141657.kAEGvI60088666@repoman.freebsd.org> <20061114171000.GA1014@zaphod.nitro.dk> <455A1592.4060606@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <455A1592.4060606@FreeBSD.org> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD 6.2-PRERELEASE i386 Organization: Kabbale Eros X-Face: (hRbQnK~Pt7$ct`!fupO(`y_WL4^-Iwn4@ly-.,[4xC4xc; y=\ipKMNm<1J>lv@PP~7Z<.t KjAnXLs: X-PGP: 0xC71405A2 Cc: cvs-ports@FreeBSD.org, Xin LI , cvs-all@FreeBSD.org, "Simon L. Nielsen" , ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 21:04:00 -0000 Le Mar 14 nov 06 à 20:14:26 +0100, Remko Lodder écrivait : > Simon L. Nielsen wrote: > >On 2006.11.14 16:57:17 +0000, Xin LI wrote: > >>delphij 2006-11-14 16:57:17 UTC > >> > >> FreeBSD ports repository > >> > >> Modified files: > >> security/vuxml vuln.xml > >> Log: > >> The Command Injection Vulnerability was corrected by awstats 6.5_2,1. > >> > >> Submitted by: Alex Samorukov > >> PR: ports/105233 > > > >Have you checked that the issues have really been fixed? > > > > That was exactly the reason why I did not mark the entry > as fixed yet... I committed PR ports/104784, because it seems to me that the submitted patch back-ported fixes from the devel version, as advertized by the maintainer. Unfortunately, AWStats is affected by several vulnerabilities, and it's not clear to me which one is concerned by VuXML ID 2df297a2-dc74-11da-a22b-000c6ec775d9. Perhaps should we precise the CVE references and / or add another entry in VuXML? References: - Vendor's explanations: - VuXML entry: - PR ports/104784: - CVE-2006-3681 - Debian's PR with patches & discussion: Regards, -- Th. Thomas.