Date: Wed, 19 Nov 2008 12:13:03 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: "Steven M. Christey" <coley@linus.mitre.org> Cc: Jille Timmermans <jille@quis.cx>, bug-followup@freebsd.org, freebsd-security@freebsd.org, cve@mitre.org, mloveless@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Message-ID: <U6qbEr86yzGsiKNIeinaa2qfV5g@d6yCabBfxdg3ct%2Bc9Yg%2BgwcLjj0> In-Reply-To: <Pine.GSO.4.51.0811181449170.22800@faron.mitre.org> References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <TqoTo5jliabZzOUld/zrRy5vtzI@%2BC9avPjAe6kfv7rH%2BxyHzR2RFw8> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> <Pine.GSO.4.51.0811180957530.22800@faron.mitre.org> <HFT9UPqQxMKr5hueUanFpyCwPgI@BWOFZFtpv6375xxU2Y12WR4LQqg> <Pine.GSO.4.51.0811181449170.22800@faron.mitre.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--CSNFvL6ilyiKL/Hs
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Steven,
Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote:
> > So, the VuXML entry should be changed accordingly. New content is
> > attached.
>=20
> Just for my own understanding, did the erroneous CVE description cause any
> extra work on your part?
No "extra" work. I had just copied the description from CVE and forgot
to change errorneous "5.6" to something more sane. Jille was kind to
point me to this. But it was not clear where in 5.x line the error was
introduced. I had crawled via the PHP CVS and had found that it was
there for the whole 5.x line.
> What if the desc had only said "5.2 through 5.2.6" at first?
I think I will ask myself something like "OK, but what about PHP 5.0 and
5.1? Are they vulnerable?" In principle, I _had_ asked myself about it
and had traced the code via sources back to at least 4.x, so I had
written '<=3D5.2.6_3' as the vulnerable version specification the VuXML
entry. I just forgot to change the description.
> I'm asking because I'm trying to understandind how people use CVE and what
> impact our errors might have on others.
It may vary, of course. Typically, I am trying to validate CVE
descriptions via some other sources, most used are vendor changelogs
and original advisories. Source code crawling is good too, but it
may be unavailable or a bit uneasy. I think that generally people
tend to trust CVE entries, but checking is always good ;))
--=20
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual =20
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20
{_.-``-' {_/ #
--CSNFvL6ilyiKL/Hs
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkkj2J8ACgkQthUKNsbL7YgFdgCeL2yT5t85ZDSAOAcN/2gQjj6A
jO4An2vGA8iC5XAGiYJaLF0wohi5Rc+z
=wsRE
-----END PGP SIGNATURE-----
--CSNFvL6ilyiKL/Hs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?U6qbEr86yzGsiKNIeinaa2qfV5g>