Subject: Re: pkgsrc/distfiles/vulnerabilities
To: Hitoshi Asaeda <email@example.com>
From: Alistair Crooks <AlistairCrooks@excite.com>
Date: 09/21/2000 02:35:41
On Thu, 21 Sep 2000 13:49:42 +0900 (JST), Hitoshi Asaeda wrote:
> Recent pkgsrc may require a file or something whose name is
> "vulnerabilities" under pkgsrc/distfiles.
> What is this? Is their any notification for above change?
> I've just glanced this is caused by new bsd.pkg.mk.
> Hitoshi Asaeda
My apologies - in my haste to get the changes in to support
the pkgsrc/security/audit-packages package, one of the changes
I made to pkgsrc/mk/bsd.pkg.mk meant that an installation of a
package would fail if there wasn't a list of vulnerable packages
on the machine. I fixed this yesterday (UK time) in revision
1.578 of pkgsrc/mk/bsd.pkg.mk.
Just to explain about the audit-packages package - there are
two scripts included in that package: (1) download-vulnerability-list, which
downloads the latest list of security vulnerabilities
in packages from ftp.netbsd.org, and (2) audit-packages, which
looks at the installed packages on a machine to see if any of them are
vulnerable to security exploits, checked against the downloaded
Package ntop-1.0 has a remote-root-shell vulnerability, see
[BTW, I really have ntop-1.1 installed, for all of those of you
who now try to hack wherever I am, I just renamed the directory
to give an example - agc]
Alistair Crooks (firstname.lastname@example.org)
Say Bye to Slow Internet!