From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 12:47:16 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A953B16A4CE for ; Sun, 19 Sep 2004 12:47:16 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CA9F43D2F for ; Sun, 19 Sep 2004 12:47:16 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from nescarba.in.t-online.fr (nescarba.in.t-online.fr [213.44.126.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 6F5EB3FA9; Sun, 19 Sep 2004 14:47:15 +0200 (CEST) Date: Sun, 19 Sep 2004 14:48:02 +0200 From: Mathieu Arnold To: Dan Langille Message-ID: <406631FA4FA5D14563850431@nescarba.in.t-online.fr> In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========EFEFC4B06E2C85B6CD71==========" cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 12:47:16 -0000 --==========EFEFC4B06E2C85B6CD71========== Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline +-le 19/09/2004 08:38 -0400, Dan Langille =E9crivait : | On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: |=20 |> +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : |> | I'm having a quick look through vuln.xml: |> |=20 |> | 2.02.0.50_3 |> |=20 |> | Intuitively, that means you are vulnerable if you have versions >=3D=20 |> | 2.0 or < 2.0.50_3. |>=20 |> This one is an AND : VER > 2.0 AND VER < 2.0.50_3 |=20 | If there are two operators in a range, it is an AND. The testing=20 | values always goes before the supplied operator. Correct? |=20 |> | Is that correct? Is that how to apply the rules. I found the DTD=20 |> | confused me more than the examples did. |> |=20 |> | This is an interesting example: |> |=20 |> | 1.1.2_1 |> | 2.0 |> |=20 |> | Two range statements in the same package... instead of one range with=20 |> | two operators. Why? |>=20 |> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 |>=20 |> because the version can't be < 1.1.2_1 and > 2.0. |=20 | If there are multiple ranges for a package within a vuln, they are=20 | used to construct an OR. Actually, they could be applied separately=20 | to test values separately (i.e. if one was processing this one row at=20 | a time, you could just test the value and not worry about whether or=20 | not the next row contained another range entry). |=20 | Correct? Yes, I think this description is a bit too complicated. A ... value defines a range of affected versions, and there can be multiple ranges for a package. But we're saying the same thing :-) --=20 Mathieu Arnold --==========EFEFC4B06E2C85B6CD71========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQU2ABlvROjYJ63c1AQK/PAf+KckpPbOVAH2TCqCg9sBQ8Hh3gF+1gS4B 3vCn1Cz38U2+KmpzyVkGFFLriHA/v1e+3l0aQRtPE10BNU7uP39owlOpwmA9gNSW M8G+sQ5k080vgnyv8JKQhrro8oa93scJyfe5tqMc5MfAnK+s4+a7O2gRaHZiS7HZ Xe+aZmLTWqPiLyNZ03pH0S1JQ2Q/Zf7MTHI7nP13i/4WE0fhUOfocNqVyZpr/ujo Co3fh5KZocfkibxRY+vYZkHGCjpws0sjlu5ZVj587ckb967Ae4mKh+uAK6bT0U7F OSDBHYtsGbSQP6MdbjOVNOggviRKqKNMxMFVHNosN2lPhzCUNg+zgQ== =9n+d -----END PGP SIGNATURE----- --==========EFEFC4B06E2C85B6CD71==========--