Date: Thu, 5 Oct 2006 11:36:02 +0400 From: "Andrew Pantyukhin" <sat@FreeBSD.org> To: "Vasil Dimov" <vd@freebsd.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, "Simon L. Nielsen" <simon@freebsd.org>, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <cb5206420610050036hce062e0jf15f212fe9739b9a@mail.gmail.com> In-Reply-To: <20061005055607.GB81754@qlovarnika.bg.datamax> References: <200610041710.k94HAkxJ011471@repoman.freebsd.org> <20061004185417.GC1008@zaphod.nitro.dk> <cb5206420610042247h3bcb6454v7f9e50f2123e0879@mail.gmail.com> <20061005055607.GB81754@qlovarnika.bg.datamax>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/5/06, Vasil Dimov <vd@freebsd.org> wrote: > On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote: > > On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote: > > >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > > >> sat 2006-10-04 17:10:46 UTC > > >> > > >> FreeBSD ports repository > > >> > > >> Modified files: > > >> security/vuxml vuln.xml > > >> Log: > > >> - Document NULL byte injection vulnerability in phpbb > > >> > > >> Revision Changes Path > > >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml > > >[...] > > >> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > > >> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292"> > > >> | + <topic>phpbb -- NULL byte injection vulnerability</topic> > > >> | + <affects> > > >> | + <package> > > >> | + <name>phpbb</name> > > >> | + <name>zh-phpbb-tw</name> > > >> | + <range><lt>2.0.22</lt></range> > > > > > >Where did you find info about this being fixed in 2.0.22? I couldn't > > >find it when checking the references and the phpbb web site. > > > > It seems I've been violating an extrapolation of your prior advice > > to use >0 when there's no fix. My rationale is to look at an advisory, > > it's credibility and publicity, look at the affected project and its > > history of fixing such advisories and draw a conclusion. > > > > Do I correctly understand that you assumed that the issue will be fixed > in 2.0.22 which is not yet released? > > This sounds totally bogus to me. > _Do not assume anything!_ This only makes sense if you've been tracking security issues closely for some time. I understand it does not appear very rational, so I'll stop doing this and fix this and some other advisories shortly. Thanks for your attention!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420610050036hce062e0jf15f212fe9739b9a>