On 10/5/06, Vasil Dimov <[EMAIL PROTECTED]> wrote:
On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote:
> On 10/4/06, Simon L. Nielsen <[EMAIL PROTECTED]> wrote:
> >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote:
> >> sat 2006-10-04 17:10:46 UTC
> >>
> >> FreeBSD ports repository
> >>
> >> Modified files:
> >> security/vuxml vuln.xml
> >> Log:
> >> - Document NULL byte injection vulnerability in phpbb
> >>
> >> Revision Changes Path
> >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml
> >[...]
> >> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1";>
> >> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
> >> | + <topic>phpbb -- NULL byte injection vulnerability</topic>
> >> | + <affects>
> >> | + <package>
> >> | + <name>phpbb</name>
> >> | + <name>zh-phpbb-tw</name>
> >> | + <range><lt>2.0.22</lt></range>
> >
> >Where did you find info about this being fixed in 2.0.22? I couldn't
> >find it when checking the references and the phpbb web site.
>
> It seems I've been violating an extrapolation of your prior advice
> to use >0 when there's no fix. My rationale is to look at an advisory,
> it's credibility and publicity, look at the affected project and its
> history of fixing such advisories and draw a conclusion.
>
Do I correctly understand that you assumed that the issue will be fixed
in 2.0.22 which is not yet released?
This sounds totally bogus to me.
_Do not assume anything!_
This only makes sense if you've been tracking security
issues closely for some time. I understand it does not
appear very rational, so I'll stop doing this and fix this
and some other advisories shortly.
Thanks for your attention!
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
