cvs commit: ports/security/vuxml vuln.xml

Vasil Dimov vd at FreeBSD.org
Wed Oct 4 22:56:09 PDT 2006


On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote:
> On 10/4/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> >> sat         2006-10-04 17:10:46 UTC
> >>
> >>   FreeBSD ports repository
> >>
> >>   Modified files:
> >>     security/vuxml       vuln.xml
> >>   Log:
> >>   - Document NULL byte injection vulnerability in phpbb
> >>
> >>   Revision  Changes    Path
> >>   1.1167    +40 -1     ports/security/vuxml/vuln.xml
> >[...]
> >> |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> >> | +  <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> >> | +    <topic>phpbb -- NULL byte injection vulnerability</topic>
> >> | +    <affects>
> >> | +      <package>
> >> | +   <name>phpbb</name>
> >> | +   <name>zh-phpbb-tw</name>
> >> | +   <range><lt>2.0.22</lt></range>
> >
> >Where did you find info about this being fixed in 2.0.22?  I couldn't
> >find it when checking the references and the phpbb web site.
> 
> It seems I've been violating an extrapolation of your prior advice
> to use >0 when there's no fix. My rationale is to look at an advisory,
> it's credibility and publicity, look at the affected project and its
> history of fixing such advisories and draw a conclusion.
> 

Do I correctly understand that you assumed that the issue will be fixed
in 2.0.22 which is not yet released?

This sounds totally bogus to me.
_Do not assume anything!_

-- 
Vasil Dimov
gro.DSBeerF at dv
%
Heavier than air flying machines are impossible.
                -- Lord Kelvin, President, Royal Society, c. 1895
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20061005/0f30b233/attachment.pgp


More information about the cvs-all mailing list