pkg/30744: incorrect package vulnerability entry for firefox

To: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/30744: incorrect package vulnerability entry for firefox
From: smb%cs.columbia.edu@localhost
Date: Wed, 13 Jul 2005 17:35:00 +0000 (UTC)

>Number:         30744
>Category:       pkg
>Synopsis:       bad firefox entries in pkg-vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 13 17:35:00 +0000 2005
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.7
>Organization:
Department of Computer Science, Columbia University
>Environment:
        
        
System: NetBSD berkshire.machshav.com 3.99.7 NetBSD 3.99.7 (BERKSHIRE) #1: Fri 
Jul 1 15:56:08 EDT 2005 
smb%berkshire.machshav.com@localhost:/usr/BUILD/obj/sys/arch/i386/compile/BERKSHIRE
 i386
Architecture: i386
Machine: i386
>Description:
        These two entries in pkg-vulnerabilities:

        firefox{,-bin,-gtk1,-gtk2,-gtk2-bin}-[0-9]*     http-frame-spoof        
http://secunia.com/advisories/15601/
        firefox{,-bin,-gtk1,-gtk2,-gtk2-bin}-[0-9]*     dialog-spoofing         
http://secunia.com/advisories/15489/

        are wrong.  The advisories themselves say to upgrade to 1.0.5,
        but those entries object to 1.0.5.

>How-To-Repeat:
        cd pkgsrc/www/firefox-bin && MOZILLA_USE_LINUX=y make install
>Fix:
        Use ALLOW_VULNERABLE_PACKAGES=y

>Unformatted:

Prev by Date: Re: pkg/30729
Next by Date: Re: pkg/30744
Previous by Thread: Re: pkg/30729
Next by Thread: Re: pkg/30744
Indexes:

Home | Main Index | Thread Index | Old Index