Subject: pkg/21443: vulnerability list reported on package install is confusing.
To: None <>
From: None <>
List: netbsd-bugs
Date: 05/03/2003 22:30:26
>Number:         21443
>Category:       pkg
>Synopsis:       vulnerability list reported on package install is confusing.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 03 22:31:00 UTC 2003
>Originator:     Chris Demetriou
>Release:        1.6.1 on i386, with pkgsrc from 1.6.1
see above.

i installed apache (2.0.44) from the 1.6.1 pkgsrc tree, and
it was kind enough to tell me that that version of apache had
a security vulnerability.

However, the message was a bit confusing:

*** WARNING: This package (apache-2.0.44) has a security vulnerability ***
apache<1.3.14           remote-user-access
apache<1.3.19           remote-user-access
apache<1.3.26           remote-root-shell
apache-2.0.1?           remote-root-shell
apache-2.0.2?           remote-root-shell
apache-2.0.3[0-8]*      remote-root-shell
apache<1.3.26nb1        remote-root-shell
apache-2.0.3[0-9]*      denial-of-service
apache-2.0.4[0-1]*      denial-of-service
apache-2.0.3[0-9]*      remote-root-shell
apache-2.0.4[0-2]*      remote-file-read
apache<1.3.27           local-user-shell
apache<1.3.27           denial-of-service
apache<1.3.27           local-file-read
apache-2.0.[0-3][0-9]   denial-of-service
apache-2.0.4[0-4]       denial-of-service
*** WARNING: You are strongly advised to deinstall apache-2.0.44 now ***

My first thought was "huh, do i believe this, it's telling me about
apache 1.x?!?!"

Finally reading to the bottom of the list of 16 vulnerabilities, i found
the *one* that's actually relevant to my install.  8-)

It would be best to list only the relevant vulnerabilities, rather than
all of the historical vulnerabilities for that package, IMO.
see above.  install a package with a security issue, which has had
previous security issues, and note that all are printed instead of
just the relevant ones.