From owner-freebsd-vuxml@FreeBSD.ORG Mon Mar 7 14:41:43 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BDBB16A4CE for ; Mon, 7 Mar 2005 14:41:43 +0000 (GMT) Received: from avgw.bjut.edu.cn (avgw.bjut.edu.cn [202.112.77.85]) by mx1.FreeBSD.org (Postfix) with SMTP id 1775743D3F for ; Mon, 7 Mar 2005 14:41:42 +0000 (GMT) (envelope-from liukang@bjut.edu.cn) Received: from bjut.edu.cn ([202.112.78.226]) by avgw.bjut.edu.cn (SMSSMTP 4.0.4.64) with SMTP id M2005030722400508089 for ; Mon, 07 Mar 2005 22:40:06 +0800 Received: (eyou send program); Mon, 07 Mar 2005 22:24:49 +0800 Message-ID: <310205489.09789@bjut.edu.cn> X-EYOUMAIL-SMTPAUTH: liukang@bjut.edu.cn Received: from unknown (HELO kangbjutnic) (221.218.6.85) by 202.112.78.226 with SMTP; Mon, 07 Mar 2005 22:24:49 +0800 From: "Kang Liu" To: Date: Mon, 7 Mar 2005 22:41:30 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AcUjI7/WhTvnW/qoRru+coN8Frfz9w== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: delphij@freebsd.org Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 14:41:43 -0000 Hi, The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be wrong. I've told delphij (the submitter of that entry), while he said that date came from the original source. But, as we all know, 2005 is not leap year, actually there is no Feb 29th 2005...I think it could be better if we change it to Feb 28th 2005. Best wishes, Kang From owner-freebsd-vuxml@FreeBSD.ORG Mon Mar 7 15:34:07 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3837B16A4CE; Mon, 7 Mar 2005 15:34:07 +0000 (GMT) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC7E143D4C; Mon, 7 Mar 2005 15:34:06 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: from beastie.frontfree.net (unknown [219.239.99.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 4A2C4EB09E0; Mon, 7 Mar 2005 23:34:03 +0800 (CST) Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 84823131EAA; Mon, 7 Mar 2005 23:31:09 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96667-16; Mon, 7 Mar 2005 23:30:56 +0800 (CST) Received: from localhost.localdomain (unknown [61.51.108.237]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id BCBFF131E68; Mon, 7 Mar 2005 23:30:54 +0800 (CST) From: Xin LI To: Kang Liu In-Reply-To: <310205489.09789@bjut.edu.cn> References: <310205489.09789@bjut.edu.cn> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0/dRYBxHvUV9XT2Vv7Vc" Organization: The FreeBSD Simplified Chinese Project Date: Mon, 07 Mar 2005 23:29:38 +0800 Message-Id: <1110209378.669.42.camel@spirit> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-vuxml@freebsd.org cc: delphij@freebsd.org Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: delphij@delphij.net List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 15:34:07 -0000 --=-0/dRYBxHvUV9XT2Vv7Vc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E5=9C=A8 2005-03-07=E4=B8=80=E7=9A=84 22:41 +0800=EF=BC=8CKang Liu=E5=86= =99=E9=81=93=EF=BC=9A > Hi, > The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be > wrong. I've told delphij (the submitter of that entry), while he said tha= t > date came from the original source. But, as we all know, 2005 is not leap > year, actually there is no Feb 29th 2005...I think it could be better if = we > change it to Feb 28th 2005. Thanks for noticing this. I'm aware of the issue, but it is the official version claims Feb 29th: http://216.127.76.78/~neosecur/index.php?pagina=3Dadvisories&id=3D8 And my letter has been bounced before I have decided to commit it as-is. I'm inclined in keeping it there until some of us can *actually* contact the author to confirm the discovery date. Replacing an official (while it appears to be wrong) date with a guessed value (we will never know if it is or is not wrong, and I personally infer it should be March 1st) is more or less pointless. BTW. What's your opinion about the fix? Without having a correct filtering of user input, one can launch XSS attacks which poses users in danger. Cheers, --=20 Xin LI http://www.delphij.net/ --=-0/dRYBxHvUV9XT2Vv7Vc Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCLHNi/cVsHxFZiIoRAoq+AJ47Jr1LioiHAAX4DLQjtlpj8ehc4QCfbpFO O+4PgQwVIknMeeX7Hmwpbb8= =dc2t -----END PGP SIGNATURE----- --=-0/dRYBxHvUV9XT2Vv7Vc-- From owner-freebsd-vuxml@FreeBSD.ORG Mon Mar 7 15:50:33 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4E0416A4CE; Mon, 7 Mar 2005 15:50:33 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 565BD43D3F; Mon, 7 Mar 2005 15:50:33 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D47FC3E2F38; Mon, 7 Mar 2005 09:50:32 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id 4DBE7622DFB; Mon, 7 Mar 2005 09:50:32 -0600 (CST) Date: Mon, 7 Mar 2005 09:50:32 -0600 From: "Jacques A. Vidrine" To: Xin LI Message-ID: <20050307155031.GE3503@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Xin LI , Kang Liu , freebsd-vuxml@freebsd.org, delphij@freebsd.org References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-2022-jp Content-Disposition: inline In-Reply-To: <1110209378.669.42.camel@spirit> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org cc: delphij@freebsd.org Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 15:50:34 -0000 On Mon, Mar 07, 2005 at 11:29:38PM +0800, Xin LI wrote: > 在 2005-03-07一的 22:41 +0800,Kang Liu写道: > > Hi, > > The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be > > wrong. I've told delphij (the submitter of that entry), while he said that > > date came from the original source. But, as we all know, 2005 is not leap > > year, actually there is no Feb 29th 2005...I think it could be better if we > > change it to Feb 28th 2005. > > Thanks for noticing this. I'm aware of the issue, but it is the > official version claims Feb 29th: > > http://216.127.76.78/~neosecur/index.php?pagina=advisories&id=8 > > And my letter has been bounced before I have decided to commit it as-is. > > I'm inclined in keeping it there until some of us can *actually* contact > the author to confirm the discovery date. Replacing an official (while > it appears to be wrong) date with a guessed value (we will never know if > it is or is not wrong, and I personally infer it should be March 1st) is > more or less pointless. No, it must be changed and I have already done so. It is unacceptable to have an invalid date: VuXML applications are encouraged to get mad when encountering such bogus data (^_^). I've changed it to 2005-02-28 in the interim. The date cannot be `official'... it is not a date any more than 2005-99-99 is a date. The "discovery" date is actually the date of first public disclosure, by the way. Thus, it seems that 2005-03-02 is probably most accurate. However, it isn't really important. It is just to give people an idea of how long they may have been exposed. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Mon Mar 7 16:28:42 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E80A616A4CE; Mon, 7 Mar 2005 16:28:42 +0000 (GMT) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8523943D5A; Mon, 7 Mar 2005 16:28:42 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: from beastie.frontfree.net (unknown [219.239.99.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 1E3B8EB0B63; Tue, 8 Mar 2005 00:28:41 +0800 (CST) Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 51633131C21; Tue, 8 Mar 2005 00:28:39 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99870-03; Tue, 8 Mar 2005 00:28:27 +0800 (CST) Received: from localhost.localdomain (unknown [61.51.108.237]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id 17F6C13160A; Tue, 8 Mar 2005 00:28:26 +0800 (CST) From: Xin LI To: "Jacques A. Vidrine" In-Reply-To: <20050307155031.GE3503@lum.celabo.org> References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit> <20050307155031.GE3503@lum.celabo.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-/cUAwhewpkYR/eKjftaI" Organization: The FreeBSD Simplified Chinese Project Date: Tue, 08 Mar 2005 00:27:10 +0800 Message-Id: <1110212830.669.48.camel@spirit> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-vuxml@freebsd.org cc: delphij@freebsd.org Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: delphij@delphij.net List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 16:28:43 -0000 --=-/cUAwhewpkYR/eKjftaI Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E5=9C=A8 2005-03-07=E4=B8=80=E7=9A=84 09:50 -0600=EF=BC=8CJacques A. Vidri= ne=E5=86=99=E9=81=93=EF=BC=9A > No, it must be changed and I have already done so. It is unacceptable > to have an invalid date: VuXML applications are encouraged to get mad > when encountering such bogus data (^_^). I've changed it to > 2005-02-28 in the interim. Err... I haven't considered an application that will deal with that date :-) Thanks for fixing it. Cheers, --=20 Xin LI http://www.delphij.net/ --=-/cUAwhewpkYR/eKjftaI Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCLIDe/cVsHxFZiIoRAiFLAKCOVHhMzp3qqLbjB/zgionnBYLMiACcDz/d yzBHHI0ZNSs1zCWUnpRaWgM= =5V0v -----END PGP SIGNATURE----- --=-/cUAwhewpkYR/eKjftaI-- From owner-freebsd-vuxml@FreeBSD.ORG Tue Mar 8 20:44:40 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 680A616A4CE; Tue, 8 Mar 2005 20:44:40 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA3D443D2F; Tue, 8 Mar 2005 20:44:39 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id C9D1D11E17; Tue, 8 Mar 2005 21:44:36 +0100 (CET) Date: Tue, 8 Mar 2005 21:44:36 +0100 From: "Simon L. Nielsen" To: "Jacques A. Vidrine" , freebsd-vuxml@freebsd.org Message-ID: <20050308204435.GC786@zaphod.nitro.dk> References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit> <20050307155031.GE3503@lum.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1SQmhf2mF2YjsYvc" Content-Disposition: inline In-Reply-To: <20050307155031.GE3503@lum.celabo.org> User-Agent: Mutt/1.5.6i Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 20:44:40 -0000 --1SQmhf2mF2YjsYvc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.03.07 09:50:32 -0600, Jacques A. Vidrine wrote: > The "discovery" date is actually the date of first public disclosure, > by the way. Thus, it seems that 2005-03-02 is probably most accurate. > However, it isn't really important. It is just to give people an idea > of how long they may have been exposed. Whoops... I always though it was when the issue was first discovered, i.e. the first date it was mentioned... Oh well :-). --=20 Simon L. Nielsen --1SQmhf2mF2YjsYvc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCLg6zh9pcDSc1mlERAtS1AJ9BbvgHf9svs0obpfZ+FMyYZmzMIgCdGI8B KfUdvugmaNjksWvx4v+gSiY= =f0uF -----END PGP SIGNATURE----- --1SQmhf2mF2YjsYvc--