From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 17:58:58 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C55D16A4CE; Tue, 17 Aug 2004 17:58:58 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id D695843D53; Tue, 17 Aug 2004 17:58:57 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 5861454861; Tue, 17 Aug 2004 12:58:57 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BDD5A6D452; Tue, 17 Aug 2004 12:58:47 -0500 (CDT) Date: Tue, 17 Aug 2004 12:58:47 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040817175847.GC43426@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 17:58:58 -0000 [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on the other list knew where this went :-) ] On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > When you can live with the dummy text produced by my perl script > ("Please contact the FreeBSD Security Team for more information.") and > we can make the `discovered' entry optional, fine with me. I can write > a `make entry' perl script that parses a form an generates a template > entry, send-pr like. FWIW, this sounds fine by me, except about the part. I see your point about it though... it may be dangerous to have a bogus value (like the date of entry), because it may not get corrected later. But I don't want it optional, so that it is not forgotten. Perhaps we need the possiblity of marking something explicitly for such occassions ... In the mean time, could the date of entry be used? And perhaps a comment could be a workaround for now, something like 2004-08-17 Ugly, I know, but the current format wasn't made for works-in-progress. Maybe we can make some options for that... > >In place of arguing, start forging some code to check the base > >system against the security listings in vuln.xml. > > portaudit could easily do that. The only thing useful here would be to > use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can > I map the version numbers somehow? I added __FreeBSD_versions in the > last entry (multiple CVS vulnerabilities), but they are commented out > since I don't know what the right syntax is. By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm not entirely satisfied and I am open to suggestions. This part has been ill-specified. :-( Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:06:14 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 442CC16A4CF; Tue, 17 Aug 2004 18:06:14 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC04D43D1F; Tue, 17 Aug 2004 18:06:13 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HI4k0l075887 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 14:04:47 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 14:05:21 -0400 From: Tom Rhodes To: "Jacques A. Vidrine" Message-Id: <20040817140521.1d0f252d@localhost> In-Reply-To: <20040817175847.GC43426@madman.celabo.org> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:06:14 -0000 On Tue, 17 Aug 2004 12:58:47 -0500 "Jacques A. Vidrine" wrote: > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > the other list knew where this went :-) ] NOTE: I am not subscribed to this list yet! I'm working on that right now! > > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > > When you can live with the dummy text produced by my perl script > > ("Please contact the FreeBSD Security Team for more information.") and > > we can make the `discovered' entry optional, fine with me. I can write > > a `make entry' perl script that parses a form an generates a template > > entry, send-pr like. > > FWIW, this sounds fine by me, except about the part. > I see your point about it though... it may be dangerous to have a > bogus value (like the date of entry), because it may not get corrected > later. But I don't want it optional, so that it is not forgotten. > Perhaps we need the possiblity of marking something explicitly > for such occassions ... > > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like > > 2004-08-17 > > Ugly, I know, but the current format wasn't made for > works-in-progress. Maybe we can make some options for that... How about N/A or "Unknown"? That shows that it needs corrected and that there is no problem. > > > >In place of arguing, start forging some code to check the base > > >system against the security listings in vuln.xml. > > > > portaudit could easily do that. The only thing useful here would be to > > use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can > > I map the version numbers somehow? I added __FreeBSD_versions in the > > last entry (multiple CVS vulnerabilities), but they are commented out > > since I don't know what the right syntax is. > > By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > not entirely satisfied and I am open to suggestions. This part has been > ill-specified. :-( Why not ident(1) on the specific files? A quick sh script could do this using variables parsed from VuXML entries. -- Tom Rhodes From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:25:12 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D75D016A4CF; Tue, 17 Aug 2004 18:25:12 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 093EB43D2F; Tue, 17 Aug 2004 18:25:11 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10] helo=dhcp-11.local) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx8dw-000BbO-Hm; Tue, 17 Aug 2004 20:25:10 +0200 Date: Tue, 17 Aug 2004 20:26:56 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: "Jacques A. Vidrine" From: Oliver Eikemeier In-Reply-To: <20040817175847.GC43426@madman.celabo.org> Message-Id: <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:25:13 -0000 Jacques A. Vidrine wrote: > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > the other list knew where this went :-) ] > > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: >> When you can live with the dummy text produced by my perl script >> ("Please contact the FreeBSD Security Team for more information.") and >> we can make the `discovered' entry optional, fine with me. I can write >> a `make entry' perl script that parses a form an generates a template >> entry, send-pr like. > > FWIW, this sounds fine by me, except about the part. > I see your point about it though... it may be dangerous to have a > bogus value (like the date of entry), because it may not get corrected > later. But I don't want it optional, so that it is not forgotten. > Perhaps we need the possiblity of marking something explicitly > for such occassions ... > > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like > > 2004-08-17 > > Ugly, I know, but the current format wasn't made for > works-in-progress. Maybe we can make some options for that... epoch 0? 1970-01-01? Or the date vuxml was announced? This would be easier to find than XXX, especially in a rendered version. Or just leave the entry empty. Any constant will do, it could be easily rendered to `unknown'. I find a non-constant value (date of entry) a bad choice it is more difficult to test against (and could be correct). >>> In place of arguing, start forging some code to check the base >>> system against the security listings in vuln.xml. >> >> portaudit could easily do that. The only thing useful here would be to >> use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or >> can >> I map the version numbers somehow? I added __FreeBSD_versions in the >> last entry (multiple CVS vulnerabilities), but they are commented out >> since I don't know what the right syntax is. > > By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > not entirely satisfied and I am open to suggestions. This part has been > ill-specified. :-( Ehm, __FreeBSD_version? What's bad with that? Documented in the Porters Handbook, and to find out. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:25:22 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1D3F16A4CE; Tue, 17 Aug 2004 18:25:22 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67B1F43D46; Tue, 17 Aug 2004 18:25:22 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id D6E225487E; Tue, 17 Aug 2004 13:25:21 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 524636D452; Tue, 17 Aug 2004 13:25:12 -0500 (CDT) Date: Tue, 17 Aug 2004 13:25:12 -0500 From: "Jacques A. Vidrine" To: Tom Rhodes Message-ID: <20040817182512.GA46244@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Tom Rhodes , Oliver Eikemeier , freebsd-vuxml@FreeBSD.org References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> <20040817140521.1d0f252d@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040817140521.1d0f252d@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:25:22 -0000 On Tue, Aug 17, 2004 at 02:05:21PM -0400, Tom Rhodes wrote: > On Tue, 17 Aug 2004 12:58:47 -0500 > "Jacques A. Vidrine" wrote: > > > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > > the other list knew where this went :-) ] > > NOTE: I am not subscribed to this list yet! I'm working on that > right now! > > > > > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > > > When you can live with the dummy text produced by my perl script > > > ("Please contact the FreeBSD Security Team for more information.") and > > > we can make the `discovered' entry optional, fine with me. I can write > > > a `make entry' perl script that parses a form an generates a template > > > entry, send-pr like. > > > > FWIW, this sounds fine by me, except about the part. > > I see your point about it though... it may be dangerous to have a > > bogus value (like the date of entry), because it may not get corrected > > later. But I don't want it optional, so that it is not forgotten. > > Perhaps we need the possiblity of marking something explicitly > > for such occassions ... > > > > In the mean time, could the date of entry be used? And perhaps a > > comment could be a workaround for now, something like > > > > 2004-08-17 > > > > Ugly, I know, but the current format wasn't made for > > works-in-progress. Maybe we can make some options for that... > > How about N/A or "Unknown"? That shows that it needs corrected > and that there is no problem. Thank you, I'm braindead lately. We don't need another element or anything, we can just use a fixed string instead of a date string. I prefer unspecified but the others (in lower case) might be OK, also. But let's just pick one. I'll have to check if this breaks anything existing, but I feel it will be easy to accomodate. > > By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > > not entirely satisfied and I am open to suggestions. This part has been > > ill-specified. :-( > > Why not ident(1) on the specific files? A quick sh script could > do this using variables parsed from VuXML entries. Aaaaaahh! /me runs away Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:27:30 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF00716A579; Tue, 17 Aug 2004 18:27:29 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67B8943D4C; Tue, 17 Aug 2004 18:27:29 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 073DA5486E; Tue, 17 Aug 2004 13:27:29 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 795A86D452; Tue, 17 Aug 2004 13:27:19 -0500 (CDT) Date: Tue, 17 Aug 2004 13:27:19 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040817182719.GB46244@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040817175847.GC43426@madman.celabo.org> <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:27:30 -0000 On Tue, Aug 17, 2004 at 08:26:56PM +0200, Oliver Eikemeier wrote: > epoch 0? 1970-01-01? Or the date vuxml was announced? This would be > easier to find than XXX, especially in a rendered version. Or just leave > the entry empty. > > Any constant will do, it could be easily rendered to `unknown'. I find a > non-constant value (date of entry) a bad choice it is more difficult to > test against (and could be correct). Yes, you are right, we just need a constant string like 'unknown' or 'unspecified'. > >By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > >not entirely satisfied and I am open to suggestions. This part has been > >ill-specified. :-( > > Ehm, __FreeBSD_version? What's bad with that? Documented in the Porters > Handbook, and to find out. __FreeBSD_version is for developers, not users. Users need to see actual release numbers. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:34:13 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A1A16A4CE; Tue, 17 Aug 2004 18:34:13 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 347E843D4C; Tue, 17 Aug 2004 18:34:13 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HIWk0l076099 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 14:32:47 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 14:33:22 -0400 From: Tom Rhodes To: "Jacques A. Vidrine" Message-Id: <20040817143322.56d0b19f@localhost> In-Reply-To: <20040817182719.GB46244@madman.celabo.org> References: <20040817175847.GC43426@madman.celabo.org> <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> <20040817182719.GB46244@madman.celabo.org> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:34:13 -0000 On Tue, 17 Aug 2004 13:27:19 -0500 "Jacques A. Vidrine" wrote: > On Tue, Aug 17, 2004 at 08:26:56PM +0200, Oliver Eikemeier wrote: > > epoch 0? 1970-01-01? Or the date vuxml was announced? This would be > > easier to find than XXX, especially in a rendered version. Or just leave > > the entry empty. > > > > Any constant will do, it could be easily rendered to `unknown'. I find a > > non-constant value (date of entry) a bad choice it is more difficult to > > test against (and could be correct). > > Yes, you are right, we just need a constant string like 'unknown' or > 'unspecified'. > > > >By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > > >not entirely satisfied and I am open to suggestions. This part has been > > >ill-specified. :-( > > > > Ehm, __FreeBSD_version? What's bad with that? Documented in the Porters > > Handbook, and to find out. > > __FreeBSD_version is for developers, not users. Users need to see > actual release numbers. > > Cheers, Do we bump __FreeBSD_version for security patches though? This always drove me nuts. As I said, a simple ident(1) and then a quick compare would work. I do something similar in an upgrade script: # Define two functions here: system_mysql and port_mysql and assign # them a task. system_mysql() { system=`ls /var/db/pkg | grep 'mysql-server' | sed 's/mysql-server-//'` } port_mysql() { port=`cat /usr/ports/databases/mysql323-server/Makefile | grep 'PORTVERSION=' |\ sed 's/PORTVERSION=//' | awk '{ print $1 }'` } #if [ "$port" == "$system" ]; #then /usr/bin/printf "MySQL Server is up to date.\n" >> $log; #elif [ "$port" != "$system" ]; #then /usr/bin/mysqldump --opt pittgoth > /root/pittgoth.sql; #if [ $? -eq 0 ] && [ -s /root/pittgoth.sql ]; #then /bin/chmod 777 /var/db/mysql && /bin/rm -rf /var/db/mysql; # else /usr/bin/printf \ # "An error occured while backing up the database.\n" >> $log && #/usr/bin/printf "This command has failed and will exit.\n" \ #>> $log && exit #fi #else /usr/bin/printf "An unknown error occured during the database upgrade.\n" >> \ #$log; #fi Retarded, perhaps, but it can work. :) -- Tom Rhodes From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:36:03 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FD3616A4CE; Tue, 17 Aug 2004 18:36:03 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38E2D43D5F; Tue, 17 Aug 2004 18:36:03 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HIa10l076138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 14:36:02 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 14:36:36 -0400 From: Tom Rhodes To: "Jacques A. Vidrine" Message-Id: <20040817143636.59bcabe0@localhost> In-Reply-To: <20040817182512.GA46244@madman.celabo.org> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> <20040817140521.1d0f252d@localhost> <20040817182512.GA46244@madman.celabo.org> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:36:03 -0000 On Tue, 17 Aug 2004 13:25:12 -0500 "Jacques A. Vidrine" wrote: [SNIP] > Thank you, I'm braindead lately. We don't need another element or > anything, we can just use a fixed string instead of a date string. I > prefer > > unspecified > > but the others (in lower case) might be OK, also. But let's just pick > one. > > I'll have to check if this breaks anything existing, but I feel it will > be easy to accomodate. I like unknown over unspecified. Unspecified makes me think that a discovery date was never released by the developers while unknown just means that we don't know or can't prove it. -- Tom Rhodes From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 18:37:51 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6C8716A4CE; Tue, 17 Aug 2004 18:37:51 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4C0143D1F; Tue, 17 Aug 2004 18:37:51 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 3C9AD54861; Tue, 17 Aug 2004 13:37:51 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id AE7EF6D452; Tue, 17 Aug 2004 13:37:41 -0500 (CDT) Date: Tue, 17 Aug 2004 13:37:41 -0500 From: "Jacques A. Vidrine" To: Tom Rhodes Message-ID: <20040817183741.GD46244@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Tom Rhodes , Oliver Eikemeier , freebsd-vuxml@FreeBSD.org References: <20040817175847.GC43426@madman.celabo.org> <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> <20040817182719.GB46244@madman.celabo.org> <20040817143322.56d0b19f@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040817143322.56d0b19f@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:37:52 -0000 On Tue, Aug 17, 2004 at 02:33:22PM -0400, Tom Rhodes wrote: > Do we bump __FreeBSD_version for security patches though? Definitely not. -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:16:48 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAA1B16A4CE for ; Tue, 17 Aug 2004 19:16:48 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77A5F43D39 for ; Tue, 17 Aug 2004 19:16:48 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10] helo=dhcp-11.local) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx9Rt-000Bif-2U for FreeBSD-vuxml@FreeBSD.org; Tue, 17 Aug 2004 21:16:47 +0200 Date: Tue, 17 Aug 2004 21:18:33 +0200 Mime-Version: 1.0 (Apple Message framework v482) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Oliver Eikemeier To: FreeBSD-vuxml@FreeBSD.org Content-Transfer-Encoding: 7bit Message-Id: <3AF421B2-F082-11D8-924A-00039312D914@fillmore-labs.com> User-Agent: KMail/1.5.9 Subject: portaudit wishlist X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:16:48 -0000 Ok, things that I think would be really useful (incomplete list): - csh-style braces. When this is not the right syntax, this could be done with ja-bugzilla or ja-kr-cups but we have many slave ports which just differ in prefixes/suffixes, and it would be easy to expand them when reading the file. Yes, portaudit does linear searches. Besides, this will greatly diminish the size of the database. I'm even willing to sacrifice glob patterns `*' and `?' for that, although they can be quite convenient sometimes. - 1.* notation as the `smallest 1.x version possible'. 1.a is not the smallest, besides it is not completely transparent why .a is chosen in the range. When the `*' is the problem, this could be easily changed to a random character, or even a (greater equal range) tag (ok, the name is silly), but I want to have some standard way like >= 1.* < 2.* to match all 1.x and nothing else. No, I don't think >= 1.a < 2.a is good here. - make `discovery' optional. It's a nice-to-have, but sometimes hard to find out, and dummy entries like entry = discovery do not help anyone. (ok, superseeded by another thread). - make `description' optional. It is in the way of `quick' entries which should be researched later. Of course it is acceptable to fill it with a dummy value, but in this case it shouldn't be present IMHO and the dummy value should be provided by the rendering code. Or will an empty tag do? - make a `severity' field available. Of course it might be inaccurate, and software might want to ignore it and provide it's own data. Yet it is useful when you only have time for a quick glance (notify me immediately of severe vulnerabilities, all others should only appear in fridays report). It is a valuable guidance for the users, although I'm aware it is very error-prone. - add a classification into remote/local exploitable - add a `fixed' field that lists a version where the vulnerability is fixed. This could be used for a recommendation message, like "upgrade to version xxx" or "no upgrade is available, please deinstall the port or proceed with caution". This could also realized as an alternate tag. - Also we should add tags for the most popular references. Speaking of references, I would prefer something like CVS Multiple Vulnerabilities, which means they canbe rendered with a meaningful line (but most not, so is legal too). Ok, too many threads now. I have too look into this a little closer. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:19:38 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FFE316A4CE; Tue, 17 Aug 2004 19:19:38 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id F31D843D41; Tue, 17 Aug 2004 19:19:37 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10] helo=dhcp-11.local) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx9Uc-000BjC-GV; Tue, 17 Aug 2004 21:19:37 +0200 Date: Tue, 17 Aug 2004 21:21:22 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: "Jacques A. Vidrine" From: Oliver Eikemeier In-Reply-To: <20040817182719.GB46244@madman.celabo.org> Message-Id: Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:19:38 -0000 Jacques A. Vidrine wrote: > __FreeBSD_version is for developers, not users. Users need to see > actual release numbers. Users need tools that interpret xml files correctly. The file must not be user-readable. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:30:20 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EDD216A565; Tue, 17 Aug 2004 19:30:20 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE50D43D45; Tue, 17 Aug 2004 19:30:19 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10] helo=dhcp-11.local) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx9ey-000BlB-Vi; Tue, 17 Aug 2004 21:30:19 +0200 Date: Tue, 17 Aug 2004 21:32:05 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Pete Fritchman From: Oliver Eikemeier In-Reply-To: <20040817185332.2B91D1800A@sirius.firepipe.net> Message-Id: <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: "Jacques A. Vidrine" Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:30:20 -0000 Pete Fritchman wrote: > Perhaps you could use CVS revision IDs (with 'ident'). For example, > > /usr/bin/passwd: > $FreeBSD: src/usr.bin/passwd/passwd.c,v 1.16.2.1 2001/03/12 > 10:48:08 assar Exp $ > $FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.14.2.2 2004/02/22 > 11:28:06 charnier Exp $ > $FreeBSD: src/usr.sbin/vipw/pw_util.c,v 1.17.2.4 2002/09/04 > 15:28:10 des Exp $ > $FreeBSD: src/libexec/ypxfr/ypxfr_misc.c,v 1.9.2.2 2002/02/15 > 00:46:54 des Exp $ > $FreeBSD: src/include/rpcsvc/yp.x,v 1.12 1999/08/27 23:45:12 peter > Exp $ > $FreeBSD: src/include/rpcsvc/yppasswd.x,v 1.6 1999/08/27 23:45:12 > peter Exp $ > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > 1999/08/28 01:19:41 peter Exp $ > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > 1999/08/28 01:19:41 peter Exp $ > > If a security bug was fixed in passwd.c 1.16.3.1, you could point out > that > I'm vulnerable. Most of the security advisories include the revision > that > things were fixed in, so this shouldn't be too hard. Jacques doens't seem to like this: "Aaaaaahh!". I don't really care ident(1) is fine for me, and it seems like this is the only reliable indication. OTOH you'll need a couple of references (file, list of FreeBSD versions). Doable, so when no other ideas pop up we should do this. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:36:04 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4509416A4CE; Tue, 17 Aug 2004 19:36:04 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id C05A543D1D; Tue, 17 Aug 2004 19:36:03 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HJYZ0l076547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 15:34:36 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 15:35:10 -0400 From: Tom Rhodes To: Oliver Eikemeier Message-Id: <20040817153510.6ccfbd8b@localhost> In-Reply-To: <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> References: <20040817185332.2B91D1800A@sirius.firepipe.net> <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: Pete Fritchman cc: "Jacques A. Vidrine" Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:36:04 -0000 On Tue, 17 Aug 2004 21:32:05 +0200 Oliver Eikemeier wrote: > Pete Fritchman wrote: > > > Perhaps you could use CVS revision IDs (with 'ident'). For example, > > > > /usr/bin/passwd: > > $FreeBSD: src/usr.bin/passwd/passwd.c,v 1.16.2.1 2001/03/12 > > 10:48:08 assar Exp $ > > $FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.14.2.2 2004/02/22 > > 11:28:06 charnier Exp $ > > $FreeBSD: src/usr.sbin/vipw/pw_util.c,v 1.17.2.4 2002/09/04 > > 15:28:10 des Exp $ > > $FreeBSD: src/libexec/ypxfr/ypxfr_misc.c,v 1.9.2.2 2002/02/15 > > 00:46:54 des Exp $ > > $FreeBSD: src/include/rpcsvc/yp.x,v 1.12 1999/08/27 23:45:12 peter > > Exp $ > > $FreeBSD: src/include/rpcsvc/yppasswd.x,v 1.6 1999/08/27 23:45:12 > > peter Exp $ > > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > > 1999/08/28 01:19:41 peter Exp $ > > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > > 1999/08/28 01:19:41 peter Exp $ > > > > If a security bug was fixed in passwd.c 1.16.3.1, you could point out > > that > > I'm vulnerable. Most of the security advisories include the revision > > that > > things were fixed in, so this shouldn't be too hard. > > Jacques doens't seem to like this: "Aaaaaahh!". I don't really care > ident(1) is fine for me, and it seems like this is the only reliable > indication. OTOH you'll need a couple of references (file, list of > FreeBSD versions). Doable, so when no other ideas pop up we should do > this. Yea, I already mentioned this. We could also stat the UPDATING file for the entry? Perhaps some kind of string could be checked with grep or something. -- Tom Rhodes From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:47:31 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A5A716A4CE; Tue, 17 Aug 2004 19:47:31 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE70F43D41; Tue, 17 Aug 2004 19:47:30 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1Bx9vb-000BnO-Ih; Tue, 17 Aug 2004 21:47:30 +0200 Date: Tue, 17 Aug 2004 21:49:15 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Tom Rhodes From: Oliver Eikemeier In-Reply-To: <20040817153510.6ccfbd8b@localhost> Message-Id: <853F2EE0-F086-11D8-A951-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: "Jacques A. Vidrine" cc: Pete Fritchman Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:47:31 -0000 Tom Rhodes wrote: >> Jacques doens't seem to like this: "Aaaaaahh!". I don't really care >> ident(1) is fine for me, and it seems like this is the only reliable >> indication. OTOH you'll need a couple of references (file, list of >> FreeBSD versions). Doable, so when no other ideas pop up we should do >> this. > > Yea, I already mentioned this. We could also stat the UPDATING > file for the entry? Perhaps some kind of string could be checked > with grep or something. UPDATING needs /src, which a) might not be available, and b) may be more recent the the installed software. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:04:03 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0978216A4CE; Tue, 17 Aug 2004 19:04:03 +0000 (GMT) Received: from shrike.submonkey.net (cpc2-cdif3-6-0-cust204.cdif.cable.ntl.com [81.103.67.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9225043D1D; Tue, 17 Aug 2004 19:04:02 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from setantae by shrike.submonkey.net with local (Exim 4.41 (FreeBSD)) id 1Bx9FY-0005F5-Ji; Tue, 17 Aug 2004 20:04:00 +0100 Date: Tue, 17 Aug 2004 20:04:00 +0100 From: Ceri Davies To: "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org Message-ID: <20040817190400.GM5433@submonkey.net> Mail-Followup-To: Ceri Davies , "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2fjX3cMESU3XgGmZ" Content-Disposition: inline In-Reply-To: <20040817175847.GC43426@madman.celabo.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.6i Sender: Ceri Davies X-Mailman-Approved-At: Tue, 17 Aug 2004 19:58:49 +0000 Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:04:03 -0000 --2fjX3cMESU3XgGmZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 17, 2004 at 12:58:47PM -0500, Jacques A. Vidrine wrote: > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > the other list knew where this went :-) ] >=20 > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: > > When you can live with the dummy text produced by my perl script > > ("Please contact the FreeBSD Security Team for more information.") and > > we can make the `discovered' entry optional, fine with me. I can write > > a `make entry' perl script that parses a form an generates a template > > entry, send-pr like. >=20 > FWIW, this sounds fine by me, except about the part. > I see your point about it though... it may be dangerous to have a > bogus value (like the date of entry), because it may not get corrected > later. But I don't want it optional, so that it is not forgotten. > Perhaps we need the possiblity of marking something explicitly > for such occassions ... >=20 > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like >=20 > 2004-08-17 Disclaimer: I've come from the other list and am not familiar with the issues here, but this sounds like something that attributes were intended to cover. Something like: 2004-08-17 vs. 2004-08-17 Adjust values of state depending on what the two options really are. This has the benefit of being backwards compatible, assuming that the consumers are XML parsers. Ceri --=20 It is not tinfoil, it is my new skin. I am a robot. --2fjX3cMESU3XgGmZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD4DBQFBIlagocfcwTS3JF8RAmycAJ9Lk9NgOYKS+KunVPKA43xHT8pILACYjFVq J1WSw4TmPUIY0HpiCyTI8Q== =NQPl -----END PGP SIGNATURE----- --2fjX3cMESU3XgGmZ-- From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 20:39:17 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C21B16A4CE; Tue, 17 Aug 2004 20:39:17 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1444843D46; Tue, 17 Aug 2004 20:39:17 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HKbh0l076856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 16:37:44 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 16:38:18 -0400 From: Tom Rhodes To: Oliver Eikemeier Message-Id: <20040817163818.1c307c06@localhost> In-Reply-To: <853F2EE0-F086-11D8-A951-00039312D914@fillmore-labs.com> References: <20040817153510.6ccfbd8b@localhost> <853F2EE0-F086-11D8-A951-00039312D914@fillmore-labs.com> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org cc: "Jacques A. Vidrine" cc: Pete Fritchman Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 20:39:17 -0000 On Tue, 17 Aug 2004 21:49:15 +0200 Oliver Eikemeier wrote: > Tom Rhodes wrote: > > >> Jacques doens't seem to like this: "Aaaaaahh!". I don't really care > >> ident(1) is fine for me, and it seems like this is the only reliable > >> indication. OTOH you'll need a couple of references (file, list of > >> FreeBSD versions). Doable, so when no other ideas pop up we should do > >> this. > > > > Yea, I already mentioned this. We could also stat the UPDATING > > file for the entry? Perhaps some kind of string could be checked > > with grep or something. > > UPDATING needs /src, which a) might not be available, and b) may be more > recent the the installed software. > -Oliver BLAH! The date from uname compaired to date of advisory. Shit, that only works for kernel. Hmmm -- Tom Rhodes From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 20:56:40 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA53716A4CE; Tue, 17 Aug 2004 20:56:40 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70EEC43D3F; Tue, 17 Aug 2004 20:56:40 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1BxB0X-0008EU-Bf; Tue, 17 Aug 2004 22:56:39 +0200 Date: Tue, 17 Aug 2004 22:58:25 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Tom Rhodes From: Oliver Eikemeier In-Reply-To: <20040817163818.1c307c06@localhost> Message-Id: <2EA0165A-F090-11D8-A951-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: "Jacques A. Vidrine" cc: Pete Fritchman Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 20:56:40 -0000 Tom Rhodes wrote: > BLAH! The date from uname compaired to date of advisory. Shit, > that only works for kernel. Hmmm Conditionalizing on kernel version would be fine for me, but isn't this the date when the kernel was compiled? The alternative seems to be to bump __FreeBSD_version for security fixes, but this won't work for patches. What is the problem with ident(1)? I seems like it was invented for stuff like this. -Oliver From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 20:59:30 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8360B16A4CE; Tue, 17 Aug 2004 20:59:30 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34ECB43D2F; Tue, 17 Aug 2004 20:59:30 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1BxB3G-0008F5-Vs; Tue, 17 Aug 2004 22:59:29 +0200 Date: Tue, 17 Aug 2004 23:01:15 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Oliver Eikemeier From: Oliver Eikemeier In-Reply-To: <2EA0165A-F090-11D8-A951-00039312D914@fillmore-labs.com> Message-Id: <93C7E544-F090-11D8-A951-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: Pete Fritchman cc: "Jacques A. Vidrine" Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 20:59:30 -0000 Oliver Eikemeier wrote: > Tom Rhodes wrote: > >> BLAH! The date from uname compaired to date of advisory. Shit, >> that only works for kernel. Hmmm > > Conditionalizing on kernel version would be fine for me, but isn't this > the date when the kernel was compiled? The alternative seems to be to > bump __FreeBSD_version for security fixes, but this won't work for > patches. What is the problem with ident(1)? I seems like it was > invented for stuff like this. OTOH `ident /usr/bin/cvs' won't help with the recent vulnerability :( From owner-freebsd-vuxml@FreeBSD.ORG Fri Aug 20 02:26:44 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61D6816A4CF for ; Fri, 20 Aug 2004 02:26:44 +0000 (GMT) Received: from black.imgsrc.co.jp (black.imgsrc.co.jp [210.226.20.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0BCD43D48 for ; Fri, 20 Aug 2004 02:26:43 +0000 (GMT) (envelope-from kuriyama@imgsrc.co.jp) Received: from localhost (localhost [127.0.0.1]) by black.imgsrc.co.jp (Postfix) with ESMTP id BEAC750BE2 for ; Fri, 20 Aug 2004 11:26:42 +0900 (JST) Received: from black.imgsrc.co.jp (black.imgsrc.co.jp [IPv6:2001:218:422:2::9999]) by black.imgsrc.co.jp (Postfix) with ESMTP id 64A5650BD6 for ; Fri, 20 Aug 2004 11:26:41 +0900 (JST) Date: Fri, 20 Aug 2004 11:26:41 +0900 Message-ID: <7mn00qa6ji.wl@black.imgsrc.co.jp> From: Jun Kuriyama To: freebsd-vuxml@FreeBSD.org In-Reply-To: <20040817175847.GC43426@madman.celabo.org> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd 0.1 Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 02:26:44 -0000 At Tue, 17 Aug 2004 12:58:47 -0500, Jacques A. Vidrine wrote: > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like > > 2004-08-17 > > Ugly, I know, but the current format wasn't made for > works-in-progress. Maybe we can make some options for that... This is just an idea, but if you want markup some elements as not yet determined, that elements should be supplied with attribute (such as state="TBD") to indicate the current situation of element body text. -- Jun Kuriyama // IMG SRC, Inc. // FreeBSD Project From owner-freebsd-vuxml@FreeBSD.ORG Fri Aug 20 02:31:55 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD44616A4CE for ; Fri, 20 Aug 2004 02:31:55 +0000 (GMT) Received: from black.imgsrc.co.jp (black.imgsrc.co.jp [210.226.20.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8847543D2D for ; Fri, 20 Aug 2004 02:31:55 +0000 (GMT) (envelope-from kuriyama@imgsrc.co.jp) Received: from localhost (localhost [127.0.0.1]) by black.imgsrc.co.jp (Postfix) with ESMTP id CBD2750B80 for ; Fri, 20 Aug 2004 11:31:54 +0900 (JST) Received: from black.imgsrc.co.jp (black.imgsrc.co.jp [IPv6:2001:218:422:2::9999]) by black.imgsrc.co.jp (Postfix) with ESMTP id 5C41650B7A for ; Fri, 20 Aug 2004 11:31:53 +0900 (JST) Date: Fri, 20 Aug 2004 11:31:53 +0900 Message-ID: <7mllgaa6au.wl@black.imgsrc.co.jp> From: Jun Kuriyama To: freebsd-vuxml@FreeBSD.org In-Reply-To: <7mn00qa6ji.wl@black.imgsrc.co.jp> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org> <7mn00qa6ji.wl@black.imgsrc.co.jp> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd 0.1 Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 02:31:55 -0000 At Fri, 20 Aug 2004 11:26:41 +0900, kuriyama wrote: > This is just an idea, but if you want markup some elements as not yet > determined, that elements should be supplied with attribute (such as > state="TBD") to indicate the current situation of element body text. Sorry, Ceri already proposed what I want to say. Grin. :-( -- Jun Kuriyama // IMG SRC, Inc. // FreeBSD Project