Date: Wed, 19 Nov 2008 12:13:03 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: "Steven M. Christey" <coley@linus.mitre.org> Cc: Jille Timmermans <jille@quis.cx>, bug-followup@freebsd.org, freebsd-security@freebsd.org, cve@mitre.org, mloveless@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Message-ID: <U6qbEr86yzGsiKNIeinaa2qfV5g@d6yCabBfxdg3ct%2Bc9Yg%2BgwcLjj0> In-Reply-To: <Pine.GSO.4.51.0811181449170.22800@faron.mitre.org> References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <TqoTo5jliabZzOUld/zrRy5vtzI@%2BC9avPjAe6kfv7rH%2BxyHzR2RFw8> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> <Pine.GSO.4.51.0811180957530.22800@faron.mitre.org> <HFT9UPqQxMKr5hueUanFpyCwPgI@BWOFZFtpv6375xxU2Y12WR4LQqg> <Pine.GSO.4.51.0811181449170.22800@faron.mitre.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--CSNFvL6ilyiKL/Hs Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven, Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote: > > So, the VuXML entry should be changed accordingly. New content is > > attached. >=20 > Just for my own understanding, did the erroneous CVE description cause any > extra work on your part? No "extra" work. I had just copied the description from CVE and forgot to change errorneous "5.6" to something more sane. Jille was kind to point me to this. But it was not clear where in 5.x line the error was introduced. I had crawled via the PHP CVS and had found that it was there for the whole 5.x line. > What if the desc had only said "5.2 through 5.2.6" at first? I think I will ask myself something like "OK, but what about PHP 5.0 and 5.1? Are they vulnerable?" In principle, I _had_ asked myself about it and had traced the code via sources back to at least 4.x, so I had written '<=3D5.2.6_3' as the vulnerable version specification the VuXML entry. I just forgot to change the description. > I'm asking because I'm trying to understandind how people use CVE and what > impact our errors might have on others. It may vary, of course. Typically, I am trying to validate CVE descriptions via some other sources, most used are vendor changelogs and original advisories. Source code crawling is good too, but it may be unavailable or a bit uneasy. I think that generally people tend to trust CVE entries, but checking is always good ;)) --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --CSNFvL6ilyiKL/Hs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkj2J8ACgkQthUKNsbL7YgFdgCeL2yT5t85ZDSAOAcN/2gQjj6A jO4An2vGA8iC5XAGiYJaLF0wohi5Rc+z =wsRE -----END PGP SIGNATURE----- --CSNFvL6ilyiKL/Hs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?U6qbEr86yzGsiKNIeinaa2qfV5g>