From owner-freebsd-stable@FreeBSD.ORG Mon Aug 10 17:41:30 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45E011065688 for ; Mon, 10 Aug 2009 17:41:30 +0000 (UTC) (envelope-from ben@morrow.me.uk) Received: from relay.pcl-ipout01.plus.net (relay.pcl-ipout01.plus.net [212.159.7.99]) by mx1.freebsd.org (Postfix) with ESMTP id D5CCC8FC15 for ; Mon, 10 Aug 2009 17:41:29 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAMf4f0rUOFPl/2dsb2JhbACBUs9KhBgFgUw Received: from plesk-mail01.plus.net ([212.56.83.229]) by relay.pcl-ipout01.plus.net with ESMTP; 10 Aug 2009 18:41:28 +0100 Received: (qmail 17757 invoked from network); 10 Aug 2009 17:41:28 +0000 Received: from host81-155-197-140.range81-155.btcentralplus.com (HELO osiris.mauzo.dyndns.org) (81.155.197.140) by plesk-mail01.plus.net with SMTP; 10 Aug 2009 17:41:28 +0000 Received: (qmail 63365 invoked by uid 1001); 10 Aug 2009 17:41:27 -0000 Date: Mon, 10 Aug 2009 18:41:27 +0100 From: Ben Morrow To: hawei@free.fr, freebsd-stable@freebsd.org Message-ID: <20090810174127.GA63355@osiris.mauzo.dyndns.org> Mail-Followup-To: hawei@free.fr, freebsd-stable@freebsd.org References: <20090725013500.GC62402@onelab2.iet.unipi.it> <20090725073805.GA11455@abigail.blackend.org> <20090806211401.GB2546@pollux.local.net> <68208453@h30.sp.ipt.ru> <20090809220452.GA56972@osiris.mauzo.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090810080406.GA1608@pollux.local.net> X-Newsgroups: gmane.os.freebsd.stable Organization: Who, me? User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Subject: Re: status of flash9/flash10 support in RELENG_7 ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Aug 2009 17:41:30 -0000 Quoth Harald : > On Sun, Aug 09, 2009 at 11:04:52PM +0100, Ben Morrow wrote: > > > I was about to say 'I believe the vuxml entry for firefox is incorrect', > > but I see it's been fixed. Neither 3.0.13 nor 3.5.2 are vulnerable, and > > vuxml now correctly reports this. > > Today security/vuxml/vuln.xml says: > > > > firefox > linux-firefox > 3.*,1 > 3.*,13.0.13,1 > 3.5.*,13.5.2,1 > > > 1. Could someone tell me the meaning of the ``*'' values please ? > I can't see the logic of the range lines. 3.* is the lowest possible version starting with '3.': in particular, it's less than 3.0 and less than 3.a . So the 3.*,1 will match anything less than firefox3. The next two lines deal with the specifics of which firefox3 versions are vulnerable. > 2. Yesterday I installed firefox quickly with ``pkg_add -r firefox3'' > and got firefox-3.0.10,1. > Portaudit declares it vulnerable which seems to correspond > to the second range line. > I guess I have to compile firefox3 to be clean ? 3.0.10,1 is vulnerable, yes. If there aren't packages for 3.0.13,1 yet you will need to compile it yourself. Ben