pkgsrc-bugs: pkg/30744: incorrect package vulnerability entry for firefox

Subject: pkg/30744: incorrect package vulnerability entry for firefox
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <smb@cs.columbia.edu>
List: pkgsrc-bugs
Date: 07/13/2005 17:35:00

>Number:         30744
>Category:       pkg
>Synopsis:       bad firefox entries in pkg-vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 13 17:35:00 +0000 2005
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.7
>Organization:
Department of Computer Science, Columbia University
>Environment:
	
	
System: NetBSD berkshire.machshav.com 3.99.7 NetBSD 3.99.7 (BERKSHIRE) #1: Fri Jul 1 15:56:08 EDT 2005 smb@berkshire.machshav.com:/usr/BUILD/obj/sys/arch/i386/compile/BERKSHIRE i386
Architecture: i386
Machine: i386
>Description:
	These two entries in pkg-vulnerabilities:

	firefox{,-bin,-gtk1,-gtk2,-gtk2-bin}-[0-9]*     http-frame-spoof        http://secunia.com/advisories/15601/
	firefox{,-bin,-gtk1,-gtk2,-gtk2-bin}-[0-9]*     dialog-spoofing         http://secunia.com/advisories/15489/

	are wrong.  The advisories themselves say to upgrade to 1.0.5,
	but those entries object to 1.0.5.

>How-To-Repeat:
	cd pkgsrc/www/firefox-bin && MOZILLA_USE_LINUX=y make install
>Fix:
	Use ALLOW_VULNERABLE_PACKAGES=y

>Unformatted: