--XZLT0nNRngx3qG4/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 20, 2007 at 10:33:51AM -0800, Jan Schaumann wrote:
> Joerg Sonnenberger <joerg@britannica.bec.de> wrote:
> > On Tue, Feb 20, 2007 at 06:46:20AM +0000, Jan Schaumann wrote:
> > > Log Message:
> > > Only invoke audit-packages if we do find the package-name prefix in
> > > the vulnerabilities file.
> >=20
> > I don't think this is correct due to the way csh-style patterns work.
>=20
> I'm not sure I follow.  Could you elaborate?

you'll miss patterns like these:

{ap-,}php<4.4.0nb1              	local-security-bypass	http://cve.mitre.org=
/cgi-bin/cvename.cgi?name=3DCAN-2005-3054
{ja-,}squirrelmail<1.4.9a		cross-site-scripting	http://secunia.com/advisori=
es/23195/
{firefox-bin,moz-bin,ns}-flash<7.0.69	inject-http-headers	http://www.adobe.=
com/support/security/bulletins/apsb06-18.html


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--XZLT0nNRngx3qG4/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iD8DBQFF25UViwjDDlS8cmMRAvQVAJwJL0hEO41YThNmmH+x5dAMB+a5jQCfQhQX
UMpR2d01u+7MmEwtdBy4O+A=
=k7XE
-----END PGP SIGNATURE-----

--XZLT0nNRngx3qG4/--