ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and
CVE-2008-4578
Xin LI
delphij at delphij.net
Wed Nov 19 15:46:20 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eygene Ryabinkin wrote:
> Xin, good day.
>
> Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij at FreeBSD.org wrote:
>> Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578
>>
>> State-Changed-From-To: open->closed
>> State-Changed-By: delphij
>> State-Changed-When: Wed Nov 19 22:36:55 UTC 2008
>> State-Changed-Why:
>> Committed with some changes, thanks!
>
> Thanks for handling this. But I have a question: what is the general
> policy about versions that are to be documented within the 'range'
> clauses? You had changed version specification to '1.1.4', but it was
> never been in the FreeBSD ports tree. So, should we specify only
> existing port versions or we can specify vendor-specific versions as
> well, provided that the specification will be the same from the point of
> view of the port version evolution?
The '1.1.4' was chosen because that the official release notes said so,
and it is the exact minimum version of the port, if it ever got into the
tree. Personally I think it's a bad idea to cover versions that we are
known not to be vulnerable, for instance, the user might be running
1.1.4 or 1.1.5 with their local patched versions and does not want to
upgrade, making false positives would actually hurt the credibility of
vuxml.
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkkkpT8ACgkQi+vbBBjt66BfdQCgvaViet3vX/oDTITgj0nP099r
yyIAn05iXdtYM0uU5oNBWBXcHEcHFFiF
=T4Wi
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list