On Thu, Oct 05, 2006 at 09:47:40AM +0400, Andrew Pantyukhin wrote: > On 10/4/06, Simon L. Nielsen <[EMAIL PROTECTED]> wrote: > >On 2006.10.04 17:10:46 +0000, Andrew Pantyukhin wrote: > >> sat 2006-10-04 17:10:46 UTC > >> > >> FreeBSD ports repository > >> > >> Modified files: > >> security/vuxml vuln.xml > >> Log: > >> - Document NULL byte injection vulnerability in phpbb > >> > >> Revision Changes Path > >> 1.1167 +40 -1 ports/security/vuxml/vuln.xml > >[...] > >> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1";> > >> | + <vuln vid="86526ba4-53c8-11db-8f1a-000a48049292"> > >> | + <topic>phpbb -- NULL byte injection vulnerability</topic> > >> | + <affects> > >> | + <package> > >> | + <name>phpbb</name> > >> | + <name>zh-phpbb-tw</name> > >> | + <range><lt>2.0.22</lt></range> > > > >Where did you find info about this being fixed in 2.0.22? I couldn't > >find it when checking the references and the phpbb web site. > > It seems I've been violating an extrapolation of your prior advice > to use >0 when there's no fix. My rationale is to look at an advisory, > it's credibility and publicity, look at the affected project and its > history of fixing such advisories and draw a conclusion. >
Do I correctly understand that you assumed that the issue will be fixed
in 2.0.22 which is not yet released?
This sounds totally bogus to me.
_Do not assume anything!_
--
Vasil Dimov
[EMAIL PROTECTED]
%
Heavier than air flying machines are impossible.
-- Lord Kelvin, President, Royal Society, c. 1895
pgpwjmbRTvnjG.pgp
Description: PGP signature
