From liukang at bjut.edu.cn  Mon Mar  7 14:41:43 2005
From: liukang at bjut.edu.cn (Kang Liu)
Date: Mon Mar  7 14:41:46 2005
Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
Message-ID: <310205489.09789@bjut.edu.cn>

Hi,
	The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be
wrong. I've told delphij (the submitter of that entry), while he said that
date came from the original source. But, as we all know, 2005 is not leap
year, actually there is no Feb 29th 2005...I think it could be better if we
change it to Feb 28th 2005.

Best wishes,

Kang


From delphij at frontfree.net  Mon Mar  7 15:34:07 2005
From: delphij at frontfree.net (Xin LI)
Date: Mon Mar  7 15:34:08 2005
Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
In-Reply-To: <310205489.09789@bjut.edu.cn>
References: <310205489.09789@bjut.edu.cn>
Message-ID: <1110209378.669.42.camel@spirit>

? 2005-03-07?? 22:41 +0800?Kang Liu???
> Hi,
> 	The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be
> wrong. I've told delphij (the submitter of that entry), while he said that
> date came from the original source. But, as we all know, 2005 is not leap
> year, actually there is no Feb 29th 2005...I think it could be better if we
> change it to Feb 28th 2005.

Thanks for noticing this.  I'm aware of the issue, but it is the
official version claims Feb 29th:

	http://216.127.76.78/~neosecur/index.php?pagina=advisories&id=8

And my letter has been bounced before I have decided to commit it as-is.

I'm inclined in keeping it there until some of us can *actually* contact
the author to confirm the discovery date.  Replacing an official (while
it appears to be wrong) date with a guessed value (we will never know if
it is or is not wrong, and I personally infer it should be March 1st) is
more or less pointless.

BTW.  What's your opinion about the fix?  Without having a correct
filtering of user input, one can launch XSS attacks which poses users in
danger.

Cheers,
-- 
Xin LI <delphij delphij net>  http://www.delphij.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: 
	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20050307/a44bfb94/attachment.bin
From nectar at FreeBSD.org  Mon Mar  7 15:50:34 2005
From: nectar at FreeBSD.org (Jacques A. Vidrine)
Date: Mon Mar  7 15:50:35 2005
Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
In-Reply-To: <1110209378.669.42.camel@spirit>
References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit>
Message-ID: <20050307155031.GE3503@lum.celabo.org>

On Mon, Mar 07, 2005 at 11:29:38PM +0800, Xin LI wrote:
> ? 2005-03-07?? 22:41 +0800?Kang Liu???
> > Hi,
> > 	The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be
> > wrong. I've told delphij (the submitter of that entry), while he said that
> > date came from the original source. But, as we all know, 2005 is not leap
> > year, actually there is no Feb 29th 2005...I think it could be better if we
> > change it to Feb 28th 2005.
> 
> Thanks for noticing this.  I'm aware of the issue, but it is the
> official version claims Feb 29th:
> 
> 	http://216.127.76.78/~neosecur/index.php?pagina=advisories&id=8
> 
> And my letter has been bounced before I have decided to commit it as-is.
> 
> I'm inclined in keeping it there until some of us can *actually* contact
> the author to confirm the discovery date.  Replacing an official (while
> it appears to be wrong) date with a guessed value (we will never know if
> it is or is not wrong, and I personally infer it should be March 1st) is
> more or less pointless.

No, it must be changed and I have already done so.  It is unacceptable
to have an invalid date: VuXML applications are encouraged to get mad
when encountering such bogus data (^_^).  I've changed it to
2005-02-28 in the interim.

The date cannot be `official'... it is not a date any more than
2005-99-99 is a date.

The "discovery" date is actually the date of first public disclosure,
by the way.  Thus, it seems that 2005-03-02 is probably most accurate.
However, it isn't really important.  It is just to give people an idea
of how long they may have been exposed.

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
From delphij at frontfree.net  Mon Mar  7 16:28:43 2005
From: delphij at frontfree.net (Xin LI)
Date: Mon Mar  7 16:28:44 2005
Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
In-Reply-To: <20050307155031.GE3503@lum.celabo.org>
References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit>
	 <20050307155031.GE3503@lum.celabo.org>
Message-ID: <1110212830.669.48.camel@spirit>

? 2005-03-07?? 09:50 -0600?Jacques A. Vidrine???
> No, it must be changed and I have already done so.  It is unacceptable
> to have an invalid date: VuXML applications are encouraged to get mad
> when encountering such bogus data (^_^).  I've changed it to
> 2005-02-28 in the interim.

Err...  I haven't considered an application that will deal with that
date :-)  Thanks for fixing it.

Cheers,
-- 
Xin LI <delphij delphij net>  http://www.delphij.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: 
	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20050308/4690fd20/attachment.bin
From simon at FreeBSD.org  Tue Mar  8 20:44:40 2005
From: simon at FreeBSD.org (Simon L. Nielsen)
Date: Tue Mar  8 20:44:43 2005
Subject: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
In-Reply-To: <20050307155031.GE3503@lum.celabo.org>
References: <310205489.09789@bjut.edu.cn> <1110209378.669.42.camel@spirit>
	<20050307155031.GE3503@lum.celabo.org>
Message-ID: <20050308204435.GC786@zaphod.nitro.dk>

On 2005.03.07 09:50:32 -0600, Jacques A. Vidrine wrote:

> The "discovery" date is actually the date of first public disclosure,
> by the way.  Thus, it seems that 2005-03-02 is probably most accurate.
> However, it isn't really important.  It is just to give people an idea
> of how long they may have been exposed.

Whoops... I always though it was when the issue was first discovered,
i.e. the first date it was mentioned... Oh well :-).

-- 
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20050308/d35fac2f/attachment.bin