svn commit: r304136 - head/security/vuxml

Eitan Adler eadler at
Wed Sep 12 13:33:43 UTC 2012

On 12 September 2012 09:27, Alexey Dokuchaev <danfe at> wrote:
> On Wed, Sep 12, 2012 at 08:48:31AM -0400, Eitan Adler wrote:
>> On 12 September 2012 03:31, Alexey Dokuchaev <danfe at> wrote:
>> > Author: danfe
>> > Date: Wed Sep 12 07:31:22 2012
>> > New Revision: 304136
>> > URL:
>> >
>> > Log:
>> >   Update NVIDIA arbitrary memory access vulnerability with CVE-2012-4225.
>> Thank you for working to document this issue.  Since the vulnerability
>> is separate issue and could you please create a new VuXML entry
>> instead?
> I thought about it, but then after studying the patch, got convinced that
> actually the issue is the same, but first patch did not address is
> completely.  Do you have another considerations that would warrant separate
> entry?

You can be patched against the first issue but still be vulnerable to
the latter. One rule of thumb is if the version numbers differ between
what was fixed
it should be a separate VuXML.

VuXML doesn't track the underlying issue, it tracks what would helpful
for sysadmins or desktop users.

Think about it this way:
- User sees warning for vuxml vid N
- User updates
- A few days later user sees a warning for vid N again
- User is confused

Eitan Adler
Source & Ports committer
X11, Bugbusting teams

More information about the svn-ports-all mailing list