[Fwd: cvs commit: ports/security/vuxml vuln.xml]
Jacques Vidrine
nectar at FreeBSD.org
Tue Feb 22 11:54:43 PST 2005
> -------- Original Message --------
> Subject: cvs commit: ports/security/vuxml vuln.xml
> Date: Tue, 22 Feb 2005 19:27:32 +0000 (UTC)
> From: Jacques Vidrine <nectar at FreeBSD.org>
> To: ports-committers at FreeBSD.org, cvs-ports at FreeBSD.org, cvs-all at FreeBSD.org
>
> nectar 2005-02-22 19:27:32 UTC
[...]
> Corrections:
> - An invalid UUID was assigned to a FreeRADIUS vulnerability, and went
> undetected since last October. (>_<) Correct it.
Hi,
This is an interesting, if unfortunate, situation. If you are the
author of a web site or application that processes VuXML, you should
probably be aware of this specific issue.
An entry was created with an invalid `vid' attribute. The vid is
supposed to be a UUID (see [1] [2]). Unfortunately, this entry
apparently suffered mutilation during cut-n-paste: the last character
was dropped. I corrected the error by restoring the last character. I
know what that character was "supposed to be" by looking at other
entries made by the same committer. (^_^)
But since the vid is used as a "key" for entries, VuXML parsing
applications may need to take special action to purge the old identifier
(20dfd134-1d39-11d9-9be9-000c6e8f12e) from their files/databases.
Normally when an entry is in error, we can just "cancel" it, but in this
case that isn't possible: even a cancellation refers to the vid.
If you have any questions about this, please let me know!
Oh, I don't expect a repeat in the future. I'm checking for this kind
of mistake now, and fairly frequently. I will likely later add a port
to "lint" VuXML files, also.
Cheers,
--
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at FreeBSD.org
[1] http://www.opengroup.org/onlinepubs/9629399/apdxa.htm
[2] http://www.freebsd.org/cgi/man.cgi?query=uuidgen&sektion=2
More information about the freebsd-vuxml
mailing list