svn commit: r304136 - head/security/vuxml

Alexey Dokuchaev danfe at FreeBSD.org
Wed Sep 12 14:07:43 UTC 2012


On Wed, Sep 12, 2012 at 09:33:10AM -0400, Eitan Adler wrote:
> You can be patched against the first issue but still be vulnerable to
> the latter. One rule of thumb is if the version numbers differ between
> what was fixed it should be a separate VuXML.
> 
> VuXML doesn't track the underlying issue, it tracks what would helpful
> for sysadmins or desktop users.
> 
> Think about it this way:
> - User sees warning for vuxml vid N
> - User updates
> - A few days later user sees a warning for vid N again
> - User is confused

He should not be: vulnerability description was updated accordingly.  As for
version numbers, it should not be an issue since previously I was more
conservative and now the range(s) cover all the spectrum.  In fact, I would
be confused to see two very similar VuXML vids.

That said, if you still prefer to have two separate entries, let it be so,
I'll update it.

./danfe



More information about the svn-ports-all mailing list