cvs commit: ports/security/vuxml vuln.xml
Simon L. Nielsen
simon at FreeBSD.org
Wed Oct 4 11:54:56 PDT 2006
On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> sat 2006-10-04 17:10:46 UTC
>
> FreeBSD ports repository
>
> Modified files:
> security/vuxml vuln.xml
> Log:
> - Document NULL byte injection vulnerability in phpbb
>
> Revision Changes Path
> 1.1167 +40 -1 ports/security/vuxml/vuln.xml
[...]
> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> | + <topic>phpbb -- NULL byte injection vulnerability</topic>
> | + <affects>
> | + <package>
> | + <name>phpbb</name>
> | + <name>zh-phpbb-tw</name>
> | + <range><lt>2.0.22</lt></range>
Where did you find info about this being fixed in 2.0.22? I couldn't
find it when checking the references and the phpbb web site.
> | + </package>
> | + </affects>
> | + <description>
> | + <body xmlns="http://www.w3.org/1999/xhtml">
> | + <p>Secunia reports:</p>
[Note that the next comment is general, not just to you]
I'm a bit concerned with the recent number of entries directly/only
quoting Secunia advisories. It's OK to quote commercial
"re-advisories", IE. advisories which the security company are "just"
reporting of something found by a 3'rd party, some of the time, but
VuXML shouldn't turn into a advertising post for a company (or other
OS projects issuing advisories for that matter).
When possible the original report of the problem should be used, or
when that's not possible (e.g. in this case) new text can be written.
I know it's simpler just to copy/paste one of the "re-advisories", but
I would really prefer if it wasn't done as much.
On a related note, remember to double check references for the
"re-advisories" since they don't always get the details right. E.g.
Security Focus's vulnerability database ("Bugtraq ID") very often
lists versions which are vulnerable as not, and the other way around.
--
Simon L. Nielsen
FreeBSD Security Team
More information about the cvs-all
mailing list