Subject: pkg/18802: ftp site for 1.5 has insecure packages
To: None <gnats-bugs@gnats.netbsd.org>
From: None <reed@reedmedia.net>
List: netbsd-bugs
Date: 10/25/2002 14:35:02
>Number:         18802
>Category:       pkg
>Synopsis:       ftp.netbsd.org has insecure packages for 1.5
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 25 14:36:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6
>Organization:
http://bsd.reedmedia.net/
>Environment:
	
	
System: NetBSD rainier.reedmedia.net 1.6 NetBSD 1.6 (JCR-20020927) #3: Sat Sep 28 13:40:20 PDT 2002 reed@rainier.reedmedia.net:/usr/src/sys/arch/i386/compile/JCR-20020927 i386
Architecture: i386
Machine: i386
>Description:
 ftp://ftp.netbsd.org/pub/NetBSD/packages/1.5/i386/All/ has
insecure packages, like: apache-2.0.32.tgz
>How-To-Repeat:
Look at ftp://ftp.netbsd.org/pub/NetBSD/packages/1.5/i386/All/
Look at ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities
>Fix:
Remove all packages from FTP server that match the
ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities file.

Also check and remove for other 1.5.x and 1.6 packages too.

Preferably new packages would be put in place.
>Release-Note:
>Audit-Trail:
>Unformatted: