ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6

Eygene Ryabinkin rea-fbsd at codelabs.ru
Wed Nov 19 01:13:08 PST 2008 

Steven,

Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote:
> > So, the VuXML entry should be changed accordingly.  New content is
> > attached.
> 
> Just for my own understanding, did the erroneous CVE description cause any
> extra work on your part?

No "extra" work.  I had just copied the description from CVE and forgot
to change errorneous "5.6" to something more sane.  Jille was kind to
point me to this.  But it was not clear where in 5.x line the error was
introduced.  I had crawled via the PHP CVS and had found that it was
there for the whole 5.x line.

> What if the desc had only said "5.2 through 5.2.6" at first?

I think I will ask myself something like "OK, but what about PHP 5.0 and
5.1?  Are they vulnerable?"  In principle, I _had_ asked myself about it
and had traced the code via sources back to at least 4.x, so I had
written '<=5.2.6_3' as the vulnerable version specification the VuXML
entry.  I just forgot to change the description.

> I'm asking because I'm trying to understandind how people use CVE and what
> impact our errors might have on others.

It may vary, of course.  Typically, I am trying to validate CVE
descriptions via some other sources, most used are vendor changelogs
and original advisories.  Source code crawling is good too, but it
may be unavailable or a bit uneasy.  I think that generally people
tend to trust CVE entries, but checking is always good ;))
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081119/bf771a4d/attachment.pgp

More information about the freebsd-security mailing list