Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578



Xin,

Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote:
Thanks for handling this. But I have a question: what is the general
policy about versions that are to be documented within the 'range'
clauses? You had changed version specification to '1.1.4', but it was
never been in the FreeBSD ports tree. So, should we specify only
existing port versions or we can specify vendor-specific versions as
well, provided that the specification will be the same from the point of
view of the port version evolution?

The '1.1.4' was chosen because that the official release notes said so,
and it is the exact minimum version of the port, if it ever got into the
tree. Personally I think it's a bad idea to cover versions that we are
known not to be vulnerable, for instance, the user might be running
1.1.4 or 1.1.5 with their local patched versions and does not want to
upgrade, making false positives would actually hurt the credibility of
vuxml.

OK, I expected such answer. But then, what you'll say after reading
the history of ports/128698:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698

I understand that the mentioned PR is the another case and there were no
vulnerable version in the official ports tree. But two PRs are a bit
inconsistent in their treatment of the locally patched versions, so I am
just curious -- may be there should be some general understanding about
this?

Sorry for being so chatty, but I am just trying to understand the policy
and best practices for VuXML.

Thanks!
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #

Attachment: pgpEcPerDIs0K.pgp
Description: PGP signature



Relevant Pages

  • Re: [RE: Access to well-known ports on Win2K]
    ... communication typically uses the ephemeral port range. ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > IPSec Policy Agent service then the IPSec policy is no longer active. ...
    (Focus-Microsoft)
  • RE: [RE: Access to well-known ports on Win2K]
    ... destination port and ANY source port. ... > policy - works for all users of the machine; ... > Local Security ... >> could use an IPSec policy and deploy to all users to block ...
    (Focus-Microsoft)
  • Re: event id 1030
    ... port filtering enabled and is blocking port 389. ... Windows Platform Support Team ... > Windows cannot query for the list of Group Policy objects. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bittorrent - utorrent
    ... You mean free solutions? ... Block initiating traffic outbound to any port except those required for business purposes would be an excellent start. ... If no such policy is in place, you can't reasonably expect users to adher to unwritten rules. ...
    (Focus-IDS)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.networking)