Re: ANN: Availability of pkg(8)-capable pkgsrc

[John Marino <netbsd%marino.st@localhost>]

On 11/12/2016 18:39, Sevan / Venture37 wrote:
> On 13 November 2016 at 00:18, John Marino <netbsd%marino.st@localhost> wrote:
>
> > The only thing I could ask the security team is to keep using
> > ranges and not regex.
>
> Do you have an example entry of what you mean?


examples of ranges:
- bind99<9.9.9pl4 	denial-of-service		https://kb.isc.org/article/AA-01434
- mysql-client>5.7<5.7.16 	multiple-vulnerabilities
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL

examples of non-standard entry:
- php{53,54,55}-soycms=<1.4.0c	cross-site-scripting
http://jvn.jp/en/jp/JVN54650130/index.html
(=< instead of <=)

example of non-sense URL:
* sun-j{re,dk}14<2.18	multiple-vulnerabilities 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-[3103-3115]
(vuxml was created to add 2 references which is totally normal)
(This is also an example of using curly brackets to create multiple 
packages per vulnerability, this is simple example).

extreme use of curly brackets:
* mysql-server-4.1.{0,1,2,3,4,5,6,7,8,9,10,11,12}{,nb*}
(that should be a range >=4.1.0<=4.1.12nb4)
(the nb numbers should reflect reality, not wildcards.  Each one is a 
unique package identifier.  I had to replace these wildcards with nb99 
which is just a huge hack but I had no choice with this input)

more abuse:
* perl{,-thread}-5.8.{[0-4]{,nb*},5{,nb[1-7]},6{,nb[12]}}
* samba-3.0.[0-4]{,a*,nb?}

Most of these can be represented accurately with simple ranges or at 
worst multiple entries.  That's what I mean.

John

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus