Subject: pkg/21443: vulnerability list reported on package install is confusing.
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 05/03/2003 22:30:26
>Synopsis: vulnerability list reported on package install is confusing.
>Arrival-Date: Sat May 03 22:31:00 UTC 2003
>Originator: Chris Demetriou
>Release: 1.6.1 on i386, with pkgsrc from 1.6.1
i installed apache (2.0.44) from the 1.6.1 pkgsrc tree, and
it was kind enough to tell me that that version of apache had
a security vulnerability.
However, the message was a bit confusing:
*** WARNING: This package (apache-2.0.44) has a security vulnerability ***
apache<1.3.14 remote-user-access http://httpd.apache.org/dist/httpd/CHANGES_1.3
apache<1.3.19 remote-user-access http://httpd.apache.org/dist/httpd/Announcement.html
apache<1.3.26 remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.1? remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.2? remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.3[0-8]* remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache<1.3.26nb1 remote-root-shell http://www.apache-ssl.org/advisory-20020620.txt
apache-2.0.3[0-9]* denial-of-service http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.4[0-1]* denial-of-service http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.3[0-9]* remote-root-shell http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.4[0-2]* remote-file-read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache<1.3.27 local-user-shell http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
apache<1.3.27 denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
apache<1.3.27 local-file-read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.[0-3][0-9] denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
apache-2.0.4[0-4] denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
*** WARNING: You are strongly advised to deinstall apache-2.0.44 now ***
My first thought was "huh, do i believe this, it's telling me about
Finally reading to the bottom of the list of 16 vulnerabilities, i found
the *one* that's actually relevant to my install. 8-)
It would be best to list only the relevant vulnerabilities, rather than
all of the historical vulnerabilities for that package, IMO.
see above. install a package with a security issue, which has had
previous security issues, and note that all are printed instead of
just the relevant ones.