netbsd-users: Re: suse_x11 pkg fails due to vulnerability

Subject: Re: suse_x11 pkg fails due to vulnerability
To: Matthias Buelow <mkb@incubus.de>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 02/08/2005 07:55:51

In message <4208B5BA.50201@incubus.de>, Matthias Buelow writes:
>Hi folks,
>
>when building suse_x11-7.3nb2 from pkgsrc (2004q4), required as a 
>dependency by sun-jdk14, I get the following when vulnerability checking 
>is enabled:
>
>===> Checking for vulnerabilities in suse_x11-7.3nb2
>*** WARNING - remote-code-execution vulnerability in suse_x11-7.3nb2 - 
>see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914 for more 
>information ***
>or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
>*** Error code 1
>Stop.
>
>The issues with this package are from September last year already.  Will 
>they get resolved (and the package updated) in the forseeable future? 
>Or how are such vulnerabilities handled in the pkg system?  Thanks for 
>enlightening me.
>

Apparently, the best way forward is to upgrade to suse9.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb