Subject: pkg/21076: some netbsd-1-6-1 packages have security holes
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 04/09/2003 18:58:03
>Synopsis: The netbsd-1-6-1 branch for packages has security issues
>Arrival-Date: Wed Apr 09 09:58:00 PDT 2003
>Originator: Aymeric Vincent
>Release: NetBSD 1.6.1
System: NetBSD fairness 1.6.1 NetBSD 1.6.1 (FAIRNESS) #0: Fri Apr 4 15:29:41 CEST 2003 vincent@fairness:/usr/src/sys/arch/i386/compile/FAIRNESS i386
I use the netbsd-1-6-1 branch of pkgsrc. However quite a few packages in
it are known to have security holes that are fixed in -current pkgsrc.
I believe it would be nice to pull-up the necessary changes to that branch.
Install a lot of netbsd-1-6-1 packages, notice the warnings.
Package gnuchess-5.00nb2 has a remote-user-shell vulnerability, see http://linux.oreillynet.com/pub/a/linux/2002/01/28/insecurities.html
Package php-4.2.3nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
Package ircII-20021103 has a remote-code-execution vulnerability, see http://eterna.com.au/ircii/
Doing some pull-ups. Unfortunately, I understand this means recompiling these
packages and maybe updating their dependencies for all the architectures that
will have binary packages released.