pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/42688: old acroread packages should be removed, because of security risks

>Number:         42688
>Category:       pkg
>Synopsis:       old acroread packages should be removed, because of security 
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 29 00:05:00 +0000 2010
>Originator:     SODA Noriyuki
>Release:        NetBSD 5.0.1
System: NetBSD heab 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC 
Architecture: i386
Machine: i386


acroread, acroread5, acroread7, and acroread8 packages
should be removed from pkgsrc. because:

- All of them have severe security holes.

- All of them are not maintained anymore.
  > Adobe have discontinued support for Adobe Reader 8 for Linux.

- There are several alternative PDF readers which are usable.
  e.g. epdfview, evince, ... (acroread 9 is desirable too, though)

- The risks to continue to use these packages are high.
  There are lots of 0-days attacks against Acrobat reader
  (and Flashplayer) these days.
  And even trustworthy web sites are not really trustworthly these days
  due to the Gumblar virus and its variants which steal passwords
  of web admins.
  And antivirus vendors claim that there is a treat of PDF viruses
  against linux too:
  Since acroread is a linux binary, nearly all PDF viruses against
  linux do work against NetBSD too, unless the virus relies on a
  linux-specific kernel hole.

  If it's a TeX source file, security risks could be practically
  avoided by knowledgeable users.  But the risks about PDF files
  cannot be avoided even by knowledgeable users these days.

- Having them in pkgsrc gives false impression to our users
  that there is a secure way to continue to use them.

cvs remove && cvs ci

Home | Main Index | Thread Index | Old Index