Subject: pkg/21076: some netbsd-1-6-1 packages have security holes
To: None <>
From: None <>
List: netbsd-bugs
Date: 04/09/2003 18:58:03
>Number:         21076
>Category:       pkg
>Synopsis:       The netbsd-1-6-1 branch for packages has security issues
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 09 09:58:00 PDT 2003
>Originator:     Aymeric Vincent
>Release:        NetBSD 1.6.1
System: NetBSD fairness 1.6.1 NetBSD 1.6.1 (FAIRNESS) #0: Fri Apr 4 15:29:41 CEST 2003 vincent@fairness:/usr/src/sys/arch/i386/compile/FAIRNESS i386
Architecture: i386
Machine: i386
 I use the netbsd-1-6-1 branch of pkgsrc. However quite a few packages in
 it are known to have security holes that are fixed in -current pkgsrc.
 I believe it would be nice to pull-up the necessary changes to that branch.
Install a lot of netbsd-1-6-1 packages, notice the warnings.

[1]% audit-packages 
Package gnuchess-5.00nb2 has a remote-user-shell vulnerability, see
Package php-4.2.3nb1 has a remote-code-execution vulnerability, see
Package ircII-20021103 has a remote-code-execution vulnerability, see

 Doing some pull-ups. Unfortunately, I understand this means recompiling these
packages and maybe updating their dependencies for all the architectures that
will have binary packages released.