Subject: Re: suse_x11 pkg fails due to vulnerability
To: Matthias Buelow <mkb@incubus.de>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 02/08/2005 14:02:58
--fz0LNKsoEivY4NpG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 08, 2005 at 01:51:06PM +0100, Matthias Buelow wrote:
> when building suse_x11-7.3nb2 from pkgsrc (2004q4), required as a
> dependency by sun-jdk14, I get the following when vulnerability
> checking is enabled:
>=20
> =3D=3D=3D> Checking for vulnerabilities in suse_x11-7.3nb2
> *** WARNING - remote-code-execution vulnerability in suse_x11-7.3nb2 -=20
> see http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0914 for mor=
e=20
> information ***
> or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essenti=
al
> *** Error code 1
> Stop.
>=20
> The issues with this package are from September last year already.
> Will they get resolved (and the package updated) in the forseeable
> future? Or how are such vulnerabilities handled in the pkg system?
> Thanks for enlightening me.
SuSE 7.3 is unsupported, no security fix exists. the issues will be
(most likely) resolved by removing suse73 from pkgsrc in the near future
and backporting COMPAT_LINUX fixes to netbsd-1-6 (or not..). unless you
use netbsd-1-6, it's recommended to switch to suse91 packages.
regards,
--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org> --
--fz0LNKsoEivY4NpG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)
iD8DBQFCCLiCiwjDDlS8cmMRAmE4AKCCAPSum/20MP9NBht3nuDcWmIAgACeO/TR
60SDG75QiRGD/Z8UCsStz3I=
=8dIF
-----END PGP SIGNATURE-----
--fz0LNKsoEivY4NpG--