ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578

Xin LI delphij at delphij.net
Thu Nov 20 12:01:32 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Eygene,

Eygene Ryabinkin wrote:
> Xin,
> 
> Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote:
>>> Thanks for handling this.  But I have a question: what is the general
>>> policy about versions that are to be documented within the 'range'
>>> clauses?  You had changed version specification to '1.1.4', but it was
>>> never been in the FreeBSD ports tree.  So, should we specify only
>>> existing port versions or we can specify vendor-specific versions as
>>> well, provided that the specification will be the same from the point of
>>> view of the port version evolution?
>> The '1.1.4' was chosen because that the official release notes said so,
>> and it is the exact minimum version of the port, if it ever got into the
>> tree.  Personally I think it's a bad idea to cover versions that we are
>> known not to be vulnerable, for instance, the user might be running
>> 1.1.4 or 1.1.5 with their local patched versions and does not want to
>> upgrade, making false positives would actually hurt the credibility of
>> vuxml.
> 
> OK, I expected such answer.  But then, what you'll say after reading
> the history of ports/128698:
>   http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698
> 
> I understand that the mentioned PR is the another case and there were no
> vulnerable version in the official ports tree.  But two PRs are a bit
> inconsistent in their treatment of the locally patched versions, so I am
> just curious -- may be there should be some general understanding about
> this?
> 
> Sorry for being so chatty, but I am just trying to understand the policy
> and best practices for VuXML.

Ok I understood what you mean.  I have cc'ed miwi@ and stas@, it looks
like that the PR 128698 should be committed and not be closed from my
understanding, but that's my personal opinion.

In my opinion, there is nothing wrong to inform our user community about
a problem that may affect FreeBSD with the third party software.  The
concept of "we protect users who use official FreeBSD tree" is good, but
the long freeze/slush time could cause users to derive their own
variants to the tree, maybe by applying the patches in PR (that is
usually seen in replies to -ports@) themselves.  Moreover, I think it's
wrong to close ticket 128698 if no update to 1.1.6 has been committed,
because committer is a large team and this one should have followed the
better safe than sorry rule.

Now that the mail/dovecot has been updated to 1.1.6 and it's true that
1.1.5 and 1.1.4 (affected by 128698) never hit the tree.  Because
CVE-2008-4577 and CVE-2008-4578 affects only < 1.1.4 versions, it's
wrong to document it as < 1.1.6.  However, if the entry has been amended
to cover CVE-2008-4907 as a multiple vulnerabilities issue for dovecot
then I don't think covering < 1.1.6 would be a wrong thing to do.

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkklwf0ACgkQi+vbBBjt66Cf5ACeKxd7Kb8nwctJ5lVA2JoMUXH7
BRsAoLMZ56EQCpZ77u0cbbwVXu5u1NMa
=PnV2
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list