Subject: pkg/32822: CUPS: vulnerable or not?
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 02/13/2006 19:45:00
>Synopsis: CUPS vulnerability info is inconsistent
>Arrival-Date: Mon Feb 13 19:45:00 +0000 2006
>Originator: Anne Bennett
>Release: NetBSD 3.0
System: NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan 2 17:33:19 EST 2006 email@example.com:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64 amd64
I seem to be getting inconsistent information about CUPS vulnerabilities.
The information at:
lists versions up to and including cups-1.1.23nb4 as vulnerable,
which ought to mean that cups-1.1.23nb5 is okay, but my attempts to
install it result in:
*** WARNING - 1721,denial-of-service vulnerability in cups-1.1.23nb5
- see http://secunia.com/advisories/18332/ for more information ***
*** WARNING - 1722,arbitrary-code-execution vulnerability in
cups-1.1.23nb5 - see http://secunia.com/advisories/18332/ for more
or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
... and sure enough, /usr/pkg/distfiles/pkg-vulnerabilities
(downloaded daily) still this morning was listing:
cups-[0-9]* 1721,denial-of-service http://secunia.com/advisories/18332/
cups-[0-9]* 1722,arbitrary-code-execution http://secunia.com/advisories/18332/
... where presumably "cups-[0-9]*" matches all known versions.
The URL states that "The vulnerabilities are caused due to the
use of a vulnerable version of Xpdf".
I'm not sure if this is considered a bug, or if I'm supposed to just
decide that since my version of xpdf is not listed as vulnerable, then
I can ignore this warning. If so, I'll learn to use the "-i" option
to audit-packages. But I suspect that this may trip up other people
as well, especially since the CUPS web page in the pkg listing does
not list this vulnerability. If it's possible, it would be helpful to
get the same story from the vulnerability list and the per-package