On 10/4/06, Simon L. Nielsen <[EMAIL PROTECTED]> wrote:
On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> sat 2006-10-04 17:10:46 UTC
>
> FreeBSD ports repository
>
> Modified files:
> security/vuxml vuln.xml
> Log:
> - Document NULL byte injection vulnerability in phpbb
>
> Revision Changes Path
> 1.1167 +40 -1 ports/security/vuxml/vuln.xml
[...]
> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1";>
> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> | + <topic>phpbb -- NULL byte injection vulnerability</topic>
> | + <affects>
> | + <package>
> | + <name>phpbb</name>
> | + <name>zh-phpbb-tw</name>
> | + <range><lt>2.0.22</lt></range>
Where did you find info about this being fixed in 2.0.22? I couldn't
find it when checking the references and the phpbb web site.
It seems I've been violating an extrapolation of your prior advice
to use >0 when there's no fix. My rationale is to look at an advisory,
it's credibility and publicity, look at the affected project and its
history of fixing such advisories and draw a conclusion.
I understand security implications of such premature conclusions,
but in fact the probability of a mistake in such cases is comparable
with that of marking a vulnerable port safe (also by mistake). If we're
value every bit of security we can get, I should probably have
stopped doing this already. Sorry.
> | + </package>
> | + </affects>
> | + <description>
> | + <body xmlns="http://www.w3.org/1999/xhtml";>
> | + <p>Secunia reports:</p>
[Note that the next comment is general, not just to you]
I'm a bit concerned with the recent number of entries directly/only
quoting Secunia advisories. It's OK to quote commercial
"re-advisories", IE. advisories which the security company are "just"
reporting of something found by a 3'rd party, some of the time, but
VuXML shouldn't turn into a advertising post for a company (or other
OS projects issuing advisories for that matter).
When possible the original report of the problem should be used, or
when that's not possible (e.g. in this case) new text can be written.
I know it's simpler just to copy/paste one of the "re-advisories", but
I would really prefer if it wasn't done as much.
On a related note, remember to double check references for the
"re-advisories" since they don't always get the details right. E.g.
Security Focus's vulnerability database ("Bugtraq ID") very often
lists versions which are vulnerable as not, and the other way around.
Secunia is a source of quite high quality, which does the job
of summarizing a possibly very technical and obscure report
into a concise and clear advisory. But I get your idea and will
try to follow this piece of advice.
Thanks!
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
