confused by ranges
Mathieu Arnold
mat at FreeBSD.org
Sun Sep 19 05:47:16 PDT 2004
+-le 19/09/2004 08:38 -0400, Dan Langille écrivait :
| On 19 Sep 2004 at 9:56, Mathieu Arnold wrote:
|
|> +-le 18/09/2004 17:21 -0400, Dan Langille écrivait :
|> | I'm having a quick look through vuln.xml:
|> |
|> | <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
|> |
|> | Intuitively, that means you are vulnerable if you have versions >=
|> | 2.0 or < 2.0.50_3.
|>
|> This one is an AND : VER > 2.0 AND VER < 2.0.50_3
|
| If there are two operators in a range, it is an AND. The testing
| values always goes before the supplied operator. Correct?
|
|> | Is that correct? Is that how to apply the rules. I found the DTD
|> | confused me more than the examples did.
|> |
|> | This is an interesting example:
|> |
|> | <range><lt>1.1.2_1</lt></range>
|> | <range><ge>2.0</ge></range>
|> |
|> | Two range statements in the same package... instead of one range with
|> | two operators. Why?
|>
|> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0
|>
|> because the version can't be < 1.1.2_1 and > 2.0.
|
| If there are multiple ranges for a package within a vuln, they are
| used to construct an OR. Actually, they could be applied separately
| to test values separately (i.e. if one was processing this one row at
| a time, you could just test the value and not worry about whether or
| not the next row contained another range entry).
|
| Correct?
Yes, I think this description is a bit too complicated.
A <range>...</range> value defines a range of affected versions, and there
can be multiple ranges for a package.
But we're saying the same thing :-)
--
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 479 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20040919/4f1356f3/attachment.bin
More information about the freebsd-vuxml
mailing list