Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3837B16A4CE; Mon,  7 Mar 2005 15:34:07 +0000 (GMT)
Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id BC7E143D4C; Mon,  7 Mar 2005 15:34:06 +0000 (GMT)
	(envelope-from delphij@frontfree.net)
Received: from beastie.frontfree.net (unknown [219.239.99.7])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tarsier.geekcn.org (Postfix) with ESMTP id 4A2C4EB09E0;
	Mon,  7 Mar 2005 23:34:03 +0800 (CST)
Received: from localhost (localhost.frontfree.net [127.0.0.1])
	by beastie.frontfree.net (Postfix) with ESMTP id 84823131EAA;
	Mon,  7 Mar 2005 23:31:09 +0800 (CST)
Received: from beastie.frontfree.net ([127.0.0.1])
 by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 96667-16; Mon,  7 Mar 2005 23:30:56 +0800 (CST)
Received: from localhost.localdomain (unknown [61.51.108.237])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by beastie.frontfree.net (Postfix) with ESMTP id BCBFF131E68;
	Mon,  7 Mar 2005 23:30:54 +0800 (CST)
From: Xin LI <delphij@frontfree.net>
To: Kang Liu <liukang@bjut.edu.cn>
In-Reply-To: <310205489.09789@bjut.edu.cn>
References: <310205489.09789@bjut.edu.cn>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="=-0/dRYBxHvUV9XT2Vv7Vc"
Organization: The FreeBSD Simplified Chinese Project
Date: Mon, 07 Mar 2005 23:29:38 +0800
Message-Id: <1110209378.669.42.camel@spirit>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.4 FreeBSD GNOME Team Port 
X-Virus-Scanned: by amavisd-new at frontfree.net
cc: freebsd-vuxml@freebsd.org
cc: delphij@freebsd.org
Subject: Re: possible wrong date in 4a0b334d-8d8d-11d9-afa0-003048705d5a
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: delphij@delphij.net
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2005 15:34:07 -0000




在 2005-03-07一的 22:41 +0800，Kang Liu写道：
> Hi,
> 	The discovery date of 4a0b334d-8d8d-11d9-afa0-003048705d5a might be
> wrong. I've told delphij (the submitter of that entry), while he said that
> date came from the original source. But, as we all know, 2005 is not leap
> year, actually there is no Feb 29th 2005...I think it could be better if we
> change it to Feb 28th 2005.

Thanks for noticing this.  I'm aware of the issue, but it is the
official version claims Feb 29th:

	http://216.127.76.78/~neosecur/index.php?pagina=advisories&id=8

And my letter has been bounced before I have decided to commit it as-is.

I'm inclined in keeping it there until some of us can *actually* contact
the author to confirm the discovery date.  Replacing an official (while
it appears to be wrong) date with a guessed value (we will never know if
it is or is not wrong, and I personally infer it should be March 1st) is
more or less pointless.

BTW.  What's your opinion about the fix?  Without having a correct
filtering of user input, one can launch XSS attacks which poses users in
danger.

Cheers,
-- 
Xin LI <delphij delphij net>  http://www.delphij.net/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCLHNi/cVsHxFZiIoRAoq+AJ47Jr1LioiHAAX4DLQjtlpj8ehc4QCfbpFO
O+4PgQwVIknMeeX7Hmwpbb8=
=dc2t
-----END PGP SIGNATURE-----