Date: Wed, 19 Nov 2008 15:46:07 -0800 From: Xin LI <delphij@delphij.net> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 Message-ID: <4924A53F.10400@delphij.net> In-Reply-To: <guGcHD7FV7OtwPuVBjzjkm7xoOU@20cDGM%2B8hsk/QFQ6RA5/3vpdoQo> References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <guGcHD7FV7OtwPuVBjzjkm7xoOU@20cDGM%2B8hsk/QFQ6RA5/3vpdoQo>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Xin, good day. > > Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij@FreeBSD.org wrote: >> Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >> >> State-Changed-From-To: open->closed >> State-Changed-By: delphij >> State-Changed-When: Wed Nov 19 22:36:55 UTC 2008 >> State-Changed-Why: >> Committed with some changes, thanks! > > Thanks for handling this. But I have a question: what is the general > policy about versions that are to be documented within the 'range' > clauses? You had changed version specification to '1.1.4', but it was > never been in the FreeBSD ports tree. So, should we specify only > existing port versions or we can specify vendor-specific versions as > well, provided that the specification will be the same from the point of > view of the port version evolution? The '1.1.4' was chosen because that the official release notes said so, and it is the exact minimum version of the port, if it ever got into the tree. Personally I think it's a bad idea to cover versions that we are known not to be vulnerable, for instance, the user might be running 1.1.4 or 1.1.5 with their local patched versions and does not want to upgrade, making false positives would actually hurt the credibility of vuxml. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkpT8ACgkQi+vbBBjt66BfdQCgvaViet3vX/oDTITgj0nP099r yyIAn05iXdtYM0uU5oNBWBXcHEcHFFiF =T4Wi -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4924A53F.10400>