atom feed4 messages in org.freebsd.freebsd-securityRe: Question on recent PHP VuXML info
FromSent OnAttachments
Andrew StormsSep 8, 2008 8:33 am 
Jille TimmermansSep 8, 2008 9:07 am 
Jeremy ChadwickSep 8, 2008 9:18 am 
Simon L. NielsenSep 9, 2008 1:49 pm 
Subject:Re: Question on recent PHP VuXML info
From:Jeremy Chadwick (
Date:Sep 8, 2008 9:18:18 am

On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote:

Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( looks pretty dead given the last update was in 2007 according to the archives.

We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available.

Affected package: php5-posix-5.2.6 Type of problem: php -- input validation error in posix_access function. Reference: < .html>


Then late last week, the same VuXML ID started reporting this information instead:

Affected package: php5-5.2.6 Type of problem: php -- input validation error in safe_mode. Reference: < .html>


The generic question I'm asking is: What happened and why? Seems to me that if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then it's name and description shouldn't just apparently change one day.

So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, the same bug, a new description, does the newer supercede, etc, etc? Where can I get the background on what went on here?

My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs:

CVE-2008-2665: CVE-2008-2666:

As for the CVS commits under scrutiny, here they are in chronological order:

Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676