Subject: Re: pkg-vulnerabilities, vulnerable packages, Opera 9.23, README.htmls
To: Dennis den Brok <>
From: Adrian Portelli <>
List: pkgsrc-users
Date: 08/30/2007 00:44:28
Gary Thorpe wrote:
> --- Dennis den Brok <> wrote:
>>    * What I'm wondering about: Firefox has this long-standing
>> remote-information-exposure issue which prevents it from being built
>> without ALLOW_VULNERABLE=yes; yet, there's a binary package available
>> from
>> a directory different from packages/vulnerable, and the corresponding
>> README.html doesn't mention any vulnerabilities at all. I reckon this
>> is
>> to not confuse new users with such a popular package being not
>> instantly
>> available, but I haven't found anything about a change of policy
>> regarding
>> that matter; ISTR that earlier, Firefox was being treated
>> differently?
> Using the current pkgsrc, this is partially fixed: README.html now
> includes vulnerabilities on my system (maybe yours would need
> updating). However, vulnerability information for Firefox specifically
> is missing (and a huge number of them, which says the file is still not
> being properly generated). While others seem complete, future
> vulnerabilities may also get left out of others somehow.


If you 'cvs update' your sources and upgrade to the latest version of
the pkg_install tools (technically >=20070714 will do) this problem
should be fixed.