Subject: pkg/21076: some netbsd-1-6-1 packages have security holes
To: None <gnats-bugs@gnats.netbsd.org>
From: None <aymeric@netbsd.org>
List: netbsd-bugs
Date: 04/09/2003 18:58:03
>Number:         21076
>Category:       pkg
>Synopsis:       The netbsd-1-6-1 branch for packages has security issues
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 09 09:58:00 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Aymeric Vincent
>Release:        NetBSD 1.6.1
>Organization:
	
>Environment:
	
	
System: NetBSD fairness 1.6.1 NetBSD 1.6.1 (FAIRNESS) #0: Fri Apr 4 15:29:41 CEST 2003 vincent@fairness:/usr/src/sys/arch/i386/compile/FAIRNESS i386
Architecture: i386
Machine: i386
>Description:
 I use the netbsd-1-6-1 branch of pkgsrc. However quite a few packages in
 it are known to have security holes that are fixed in -current pkgsrc.
 I believe it would be nice to pull-up the necessary changes to that branch.
>How-To-Repeat:
Install a lot of netbsd-1-6-1 packages, notice the warnings.

[1]% audit-packages 
Package gnuchess-5.00nb2 has a remote-user-shell vulnerability, see http://linux.oreillynet.com/pub/a/linux/2002/01/28/insecurities.html
Package php-4.2.3nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
Package ircII-20021103 has a remote-code-execution vulnerability, see http://eterna.com.au/ircii/
[2]% 

>Fix:
 Doing some pull-ups. Unfortunately, I understand this means recompiling these
packages and maybe updating their dependencies for all the architectures that
will have binary packages released.

>Release-Note:
>Audit-Trail:
>Unformatted: