Subject: Re: pkg-vulnerabilities, vulnerable packages, Opera 9.23, README.htmls
To: Dennis den Brok <d.den.brok@uni-bonn.de>
From: Gary Thorpe <gathorpe79@yahoo.com>
List: pkgsrc-users
Date: 08/22/2007 21:53:06
--- Dennis den Brok <d.den.brok@uni-bonn.de> wrote:

> To sum it up in a single mail:
> 
>    * Opera 9.23 is out for quite a while and fixes one security issue
> with
> JavaScript and a few stability issues, so I guess the package ought
> to be
> updated and the updates pulled up to -2007Q2, which doesn't seem to
> have
> 9.22 yet, even (which already fixed security issues);
>    * pkg-vulnerabilities doesn't list at least the security issue
> fixed by
> the release of Opera 9.23;
>    * What I'm wondering about: Firefox 2.0.0.6 has this long-standing
> remote-information-exposure issue which prevents it from being built
> without ALLOW_VULNERABLE=yes; yet, there's a binary package available
> from
> a directory different from packages/vulnerable, and the corresponding
> README.html doesn't mention any vulnerabilities at all. I reckon this
> is
> to not confuse new users with such a popular package being not
> instantly
> available, but I haven't found anything about a change of policy
> regarding
> that matter; ISTR that earlier, Firefox was being treated
> differently?
>    * The links to dependencies in the README.htmls on the pkgsrc
> ftp-server
> are long since broken. There's one "../" missing, for instance in
> x11/9term/README.html, there's a link to
>
ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/x11/editors/sam/README.html.
> Note "x11/editors".
> 
> TIA for anything.
> 
> -- 
> Dennis den Brok
> 

I recently had a problem which was fixed where the vulnerability
information was being left out for some reason in all the README.html
files (on NetBSD 3.0).

Using the current pkgsrc, this is partially fixed: README.html now
includes vulnerabilities on my system (maybe yours would need
updating). However, vulnerability information for Firefox specifically
is missing (and a huge number of them, which says the file is still not
being properly generated). While others seem complete, future
vulnerabilities may also get left out of others somehow.

For Firefox, they are in the vulnerability file [which may be outdated
with respect to Opera]) and trying to build firefox shows the latest
one up as you have experienced but README.html does not mention them.


      Get news delivered with the All new Yahoo! Mail.  Enjoy RSS feeds right on your Mail page. Start today at http://mrd.mail.yahoo.com/try_beta?.intl=ca