Subject: Re: package with security hole not flagged at build time
To: Steven M. Bellovin <email@example.com>
From: Geert Hendrickx <firstname.lastname@example.org>
Date: 01/09/2007 18:35:43
On Tue, Jan 09, 2007 at 10:38:34AM -0500, Steven M. Bellovin wrote:
> According to audit-packages, fetchmail-220.127.116.11nb1 has a security hole.
> When I go to its directory and do a 'make', it builds it without
> noticing the problem. My pkgsrc is up-to-date (HEAD), as is my
> audit-packages and the vulnerabilities file it uses. (This is on
> -current from about two weeks ago.)
Do you have ALLOW_VULNERABLE_PACKAGES set in your environment or in mk.conf?