Date: Sun, 19 Sep 2004 08:38:33 -0400 From: "Dan Langille" <dan@langille.org> To: Mathieu Arnold <mat@mat.cc> Cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges Message-ID: <414D4589.218.3804EA89@localhost> In-Reply-To: <4433CFB17394B75789799BD9@nescarba.in.t-online.fr> References: <414C6EA1.25173.34BD6CDE@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: > +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : > | I'm having a quick look through vuln.xml: > | > | <range><ge>2.0</ge><lt>2.0.50_3</lt></range> > | > | Intuitively, that means you are vulnerable if you have versions >=3D > | 2.0 or < 2.0.50_3. > > This one is an AND : VER > 2.0 AND VER < 2.0.50_3 If there are two operators in a range, it is an AND. The testing values always goes before the supplied operator. Correct? > | Is that correct? Is that how to apply the rules. I found the DTD > | confused me more than the examples did. > | > | This is an interesting example: > | > | <range><lt>1.1.2_1</lt></range> > | <range><ge>2.0</ge></range> > | > | Two range statements in the same package... instead of one range with > | two operators. Why? > > This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 > > because the version can't be < 1.1.2_1 and > 2.0. If there are multiple ranges for a package within a vuln, they are used to construct an OR. Actually, they could be applied separately to test values separately (i.e. if one was processing this one row at a time, you could just test the value and not worry about whether or not the next row contained another range entry). Correct? Thank you. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414D4589.218.3804EA89>