ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578

Eygene Ryabinkin rea-fbsd at codelabs.ru
Wed Nov 19 16:44:05 PST 2008 

Xin,

Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote:
> > Thanks for handling this.  But I have a question: what is the general
> > policy about versions that are to be documented within the 'range'
> > clauses?  You had changed version specification to '1.1.4', but it was
> > never been in the FreeBSD ports tree.  So, should we specify only
> > existing port versions or we can specify vendor-specific versions as
> > well, provided that the specification will be the same from the point of
> > view of the port version evolution?
> 
> The '1.1.4' was chosen because that the official release notes said so,
> and it is the exact minimum version of the port, if it ever got into the
> tree.  Personally I think it's a bad idea to cover versions that we are
> known not to be vulnerable, for instance, the user might be running
> 1.1.4 or 1.1.5 with their local patched versions and does not want to
> upgrade, making false positives would actually hurt the credibility of
> vuxml.

OK, I expected such answer.  But then, what you'll say after reading
the history of ports/128698:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698

I understand that the mentioned PR is the another case and there were no
vulnerable version in the official ports tree.  But two PRs are a bit
inconsistent in their treatment of the locally patched versions, so I am
just curious -- may be there should be some general understanding about
this?

Sorry for being so chatty, but I am just trying to understand the policy
and best practices for VuXML.

Thanks!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081120/5b6accce/attachment.pgp

More information about the freebsd-security mailing list