cvs commit: ports/security/vuxml vuln.xml

Andrew Pantyukhin sat at FreeBSD.org
Wed Oct 4 22:47:42 PDT 2006 

On 10/4/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> > sat         2006-10-04 17:10:46 UTC
> >
> >   FreeBSD ports repository
> >
> >   Modified files:
> >     security/vuxml       vuln.xml
> >   Log:
> >   - Document NULL byte injection vulnerability in phpbb
> >
> >   Revision  Changes    Path
> >   1.1167    +40 -1     ports/security/vuxml/vuln.xml
> [...]
> > |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > | +  <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> > | +    <topic>phpbb -- NULL byte injection vulnerability</topic>
> > | +    <affects>
> > | +      <package>
> > | +   <name>phpbb</name>
> > | +   <name>zh-phpbb-tw</name>
> > | +   <range><lt>2.0.22</lt></range>
>
> Where did you find info about this being fixed in 2.0.22?  I couldn't
> find it when checking the references and the phpbb web site.

It seems I've been violating an extrapolation of your prior advice
to use >0 when there's no fix. My rationale is to look at an advisory,
it's credibility and publicity, look at the affected project and its
history of fixing such advisories and draw a conclusion.

I understand security implications of such premature conclusions,
but in fact the probability of a mistake in such cases is comparable
with that of marking a vulnerable port safe (also by mistake). If we're
value every bit of security we can get, I should probably have
stopped doing this already. Sorry.

> > | +      </package>
> > | +    </affects>
> > | +    <description>
> > | +      <body xmlns="http://www.w3.org/1999/xhtml">
> > | +   <p>Secunia reports:</p>
>
> [Note that the next comment is general, not just to you]
>
> I'm a bit concerned with the recent number of entries directly/only
> quoting Secunia advisories.  It's OK to quote commercial
> "re-advisories", IE. advisories which the security company are "just"
> reporting of something found by a 3'rd party, some of the time, but
> VuXML shouldn't turn into a advertising post for a company (or other
> OS projects issuing advisories for that matter).
>
> When possible the original report of the problem should be used, or
> when that's not possible (e.g. in this case) new text can be written.
>
> I know it's simpler just to copy/paste one of the "re-advisories", but
> I would really prefer if it wasn't done as much.
>
> On a related note, remember to double check references for the
> "re-advisories" since they don't always get the details right.  E.g.
> Security Focus's vulnerability database ("Bugtraq ID") very often
> lists versions which are vulnerable as not, and the other way around.

Secunia is a source of quite high quality, which does the job
of summarizing a possibly very technical and obscure report
into a concise and clear advisory. But I get your idea and will
try to follow this piece of advice.

Thanks!

More information about the cvs-ports mailing list