From owner-freebsd-vuxml@FreeBSD.ORG Sun Jan 23 14:56:55 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBFE416A4CE for ; Sun, 23 Jan 2005 14:56:55 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 959F543D41 for ; Sun, 23 Jan 2005 14:56:53 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 000BC3D37 for ; Sun, 23 Jan 2005 09:56:52 -0500 (EST) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Sun, 23 Jan 2005 09:58:55 -0500 MIME-Version: 1.0 Message-ID: <41F3755F.17732.1CCB0831@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: what happens if a vuln is loaded in error? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jan 2005 14:56:55 -0000 Hi folks, I'm looking over the design of how FreshPorts handles VuXML changes. A thought comes to mind. If a vuln turns out to be false (i.e not a vulnerability at all, for whatever reason), what changes would be made to the VuXML data? How would this situation be fixed? Thanks. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Jan 24 15:47:39 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5483116A4CE for ; Mon, 24 Jan 2005 15:47:39 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21BA643D2D for ; Mon, 24 Jan 2005 15:47:39 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 786353D40 for ; Mon, 24 Jan 2005 10:47:28 -0500 (EST) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Mon, 24 Jan 2005 10:47:28 -0500 MIME-Version: 1.0 Message-ID: <41F4D240.12228.221FB59D@localhost> Priority: normal In-reply-to: <41F3755F.17732.1CCB0831@localhost> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: what happens if a vuln is loaded in error? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 15:47:39 -0000 On 23 Jan 2005 at 9:58, Dan Langille wrote: > I'm looking over the design of how FreshPorts handles VuXML changes. > A thought comes to mind. If a vuln turns out to be false (i.e not a > vulnerability at all, for whatever reason), what changes would be > made to the VuXML data? How would this situation be fixed? This commit answers my question: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml.di ff?r1=1.515&r2=1.516&f=h Thanks -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Jan 24 15:58:34 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C6BD16A4CE for ; Mon, 24 Jan 2005 15:58:34 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B36543D46 for ; Mon, 24 Jan 2005 15:58:34 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 7C2993E2C23; Mon, 24 Jan 2005 09:58:33 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id BD3A25938F4; Mon, 24 Jan 2005 09:58:32 -0600 (CST) Date: Mon, 24 Jan 2005 09:58:32 -0600 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20050124155832.GF3960@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <41F3755F.17732.1CCB0831@localhost> <41F4D240.12228.221FB59D@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41F4D240.12228.221FB59D@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: what happens if a vuln is loaded in error? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 15:58:34 -0000 On Mon, Jan 24, 2005 at 10:47:28AM -0500, Dan Langille wrote: > On 23 Jan 2005 at 9:58, Dan Langille wrote: > > > I'm looking over the design of how FreshPorts handles VuXML > > changes. A thought comes to mind. If a vuln turns out to be > > false (i.e not a vulnerability at all, for whatever reason), what > > changes would be made to the VuXML data? How would this situation > > be fixed? > > This commit answers my question: > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml.diff?r1=1.515&r2=1.516&f=h Yep, I made that one just for you (^_^). But seriously, let me draw your attention to the following comments in the VuXML document model DTD (http://www.vuxml.org/dtd/vuxml-1/vuxml-model-11.mod): ,---- | A given `vuln' element may represent either an active issue | or a cancelled issue. Active `vuln's contain the full set | of sub-elements (topic, affects, and so on). Cancelled `vuln's | may contain only a single `cancelled' element. | | A `vuln' should be cancelled only when it was issued in error. `---- ,---- | If a `vuln' is issued in error, it may be cancelled by replacing its | content with a single `cancelled' element. The optional `superseded' | attribute with a VuXML ID value may be used to indicate that another | `vuln' entry replaced this one. | | Example. | | | | `---- Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org