From owner-freebsd-vuxml@FreeBSD.ORG Mon Jul 31 03:51:55 2006 Return-Path: X-Original-To: vuxml@freebsd.org Delivered-To: freebsd-vuxml@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE2716A4E6 for ; Mon, 31 Jul 2006 03:51:55 +0000 (UTC) (envelope-from dan@langille.org) Received: from havoc.unixathome.org (havoc.unixathome.org [66.154.98.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2B3343D45 for ; Mon, 31 Jul 2006 03:51:52 +0000 (GMT) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by havoc.unixathome.org (Postfix) with ESMTP id 96AC15646E for ; Sun, 30 Jul 2006 20:51:52 -0700 (PDT) X-Virus-Scanned: by amavisd-new at unixathome.org Received: from havoc.unixathome.org ([127.0.0.1]) by localhost (havoc.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqoLtM7pWjDB for ; Sun, 30 Jul 2006 20:51:51 -0700 (PDT) Received: from bast.unixathome.org (bast.unixathome.org [70.26.229.230]) by havoc.unixathome.org (Postfix) with ESMTP id 4D1835642F for ; Sun, 30 Jul 2006 20:51:51 -0700 (PDT) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id B55ACB822 for ; Sun, 30 Jul 2006 23:51:50 -0400 (EDT) From: "Dan Langille" To: vuxml@freebsd.org Date: Sun, 30 Jul 2006 23:51:50 -0400 MIME-Version: 1.0 Message-ID: <44CD4616.6955.1CD8B337@dan.langille.org> Priority: normal X-mailer: Pegasus Mail for Windows (4.31) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: Subject: correct versions for lang/ruby18? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2006 03:51:55 -0000 Are the versions for ruby18 specified correctly here? http://www.vuxml.org/freebsd/76562594-1f19-11db-b7d4- 0008743bf21a.html 1.6.* < ruby < 1.8.* 1.8.* < ruby < 1.8.4_9,1 1.6.* < ruby_static < 1.8.* 1.8.* < ruby_static < 1.8.4_9,1 Is that expected? Doesn't 1.8.* mean 1.8.4_9,1 is also affected? Perhaps 1.8.* should be 1.8 -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php From owner-freebsd-vuxml@FreeBSD.ORG Mon Jul 31 21:53:26 2006 Return-Path: X-Original-To: vuxml@freebsd.org Delivered-To: freebsd-vuxml@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AECD616A4DA for ; Mon, 31 Jul 2006 21:53:26 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C3A243D45 for ; Mon, 31 Jul 2006 21:53:26 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 635152D7380; Mon, 31 Jul 2006 21:53:25 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 4948511420; Mon, 31 Jul 2006 23:53:25 +0200 (CEST) Date: Mon, 31 Jul 2006 23:53:25 +0200 From: "Simon L. Nielsen" To: Dan Langille Message-ID: <20060731215324.GD1154@zaphod.nitro.dk> References: <44CD4616.6955.1CD8B337@dan.langille.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44CD4616.6955.1CD8B337@dan.langille.org> User-Agent: Mutt/1.5.11 Cc: vuxml@freebsd.org Subject: Re: correct versions for lang/ruby18? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2006 21:53:26 -0000 On 2006.07.30 23:51:50 -0400, Dan Langille wrote: > Are the versions for ruby18 specified correctly here? > > http://www.vuxml.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html > > 1.6.* < ruby < 1.8.* > 1.8.* < ruby < 1.8.4_9,1 > 1.6.* < ruby_static < 1.8.* > 1.8.* < ruby_static < 1.8.4_9,1 > > Is that expected? Doesn't 1.8.* mean 1.8.4_9,1 is also affected? > > Perhaps 1.8.* should be 1.8 That seems correct to me (it should better, I suggsted it ;-) ). "*" means basically the smallest possible version and "less than" is used, not "less than equal", so the above entries for 1.6 means any version larger than the smallest 1.6 and less than any 1.8 version. Of cause the above really could be minimized to "ruby < 1.8.4_9,1" and drop the 1.6 entry. The reason that wasn't done was to make it simpler to add fixed version info for 1.6 if that comes... There is also the sidenote that since ruby 1.8.* above does not include epoch 1 (,1 in version) and ruby 1.8 is now at port epoch 1 it could never match, since "lowest_version,1 > higest_version". The reason for using .* is to catch any beta version etc. (frankly I'm not really sure right now if it's really an issue for ruby here but I'm a bit to tired to really double check). You can see the problem here: [simon@zaphod:~] pkg_version -t 1.8.0.p1 '1.8.*' > [simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8 < [simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8.0 < Both portaudit and vxquery seems to agree that the entry is correct: [simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_9,1' [simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_8,1' ruby-1.8.4_8,1 [simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_9,1' [simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_8,1' Topic: ruby - multiple vulnerabilities Affects: 1.6.* < ruby < 1.8.* 1.8.* < ruby < 1.8.4_9,1 1.6.* < ruby_static < 1.8.* 1.8.* < ruby_static < 1.8.4_9,1 References: bid:18944 cvename:CVE-2006-3694 url:http://secunia.com/advisories/21009/ url:http://jvn.jp/jp/JVN%2383768862/index.html url:http://jvn.jp/jp/JVN%2313947696/index.html -- Simon L. Nielsen