Subject: Re: pkgsrc/distfiles/vulnerabilities
To: Hitoshi Asaeda <>
From: Alistair Crooks <>
List: current-users
Date: 09/21/2000 02:35:41
On Thu, 21 Sep 2000 13:49:42 +0900 (JST), Hitoshi Asaeda wrote:

>  Hi.
>  Recent pkgsrc may require a file or something whose name is
>  "vulnerabilities" under pkgsrc/distfiles.
>  What is this? Is their any notification for above change?
>  I've just glanced this is caused by new
>  --
>  Hitoshi Asaeda

My apologies - in my haste to get the changes in to support
the pkgsrc/security/audit-packages package, one of the changes
I made to pkgsrc/mk/ meant that an installation of a
package would fail if there wasn't a list of vulnerable packages
on the machine. I fixed this yesterday (UK time) in revision
1.578 of pkgsrc/mk/

Just to explain about the audit-packages package - there are
two scripts included in that package: (1) download-vulnerability-list, which
downloads the latest list of security vulnerabilities
in packages from, and (2) audit-packages, which
looks at the installed packages on a machine to see if any of them are
vulnerable to security exploits, checked against the downloaded
vulnerability list.

agc@sys1:/usr/pkgsrc(60)% audit-packages
Package ntop-1.0 has a remote-root-shell vulnerability, see

[BTW, I really have ntop-1.1 installed, for all of those of you
who now try to hack wherever I am, I just renamed the directory
to give an example - agc]

Alistair Crooks (

Say Bye to Slow Internet!