cvs commit: ports/security/vuxml vuln.xml
Andrew Pantyukhin
sat at FreeBSD.org
Thu Oct 5 00:36:05 PDT 2006
On 10/5/06, Vasil Dimov <vd at freebsd.org> wrote:
> On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote:
> > On 10/4/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> > >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> > >> sat 2006-10-04 17:10:46 UTC
> > >>
> > >> FreeBSD ports repository
> > >>
> > >> Modified files:
> > >> security/vuxml vuln.xml
> > >> Log:
> > >> - Document NULL byte injection vulnerability in phpbb
> > >>
> > >> Revision Changes Path
> > >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml
> > >[...]
> > >> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > >> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> > >> | + <topic>phpbb -- NULL byte injection vulnerability</topic>
> > >> | + <affects>
> > >> | + <package>
> > >> | + <name>phpbb</name>
> > >> | + <name>zh-phpbb-tw</name>
> > >> | + <range><lt>2.0.22</lt></range>
> > >
> > >Where did you find info about this being fixed in 2.0.22? I couldn't
> > >find it when checking the references and the phpbb web site.
> >
> > It seems I've been violating an extrapolation of your prior advice
> > to use >0 when there's no fix. My rationale is to look at an advisory,
> > it's credibility and publicity, look at the affected project and its
> > history of fixing such advisories and draw a conclusion.
> >
>
> Do I correctly understand that you assumed that the issue will be fixed
> in 2.0.22 which is not yet released?
>
> This sounds totally bogus to me.
> _Do not assume anything!_
This only makes sense if you've been tracking security
issues closely for some time. I understand it does not
appear very rational, so I'll stop doing this and fix this
and some other advisories shortly.
Thanks for your attention!
More information about the cvs-all
mailing list