Date: Mon, 8 Sep 2008 09:18:18 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Andrew Storms <astorms@ncircle.com> Cc: freebsd-security@freebsd.org Subject: Re: Question on recent PHP VuXML info Message-ID: <20080908161818.GA72963@icarus.home.lan> In-Reply-To: <C4EA93ED.1AD025%astorms@ncircle.com> References: <C4EA93ED.1AD025%astorms@ncircle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > ------------ > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs: CVE-2008-2665: http://www.securityfocus.com/bid/29797 CVE-2008-2666: http://www.securityfocus.com/bid/29796 As for the CVS commits under scrutiny, here they are in chronological order: Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080908161818.GA72963>