Thanks for sending the patch. There is a vast amount of work to keep up with security issues on a vast number of upstream packages. Ideally each upstream would release a new micro-version when there are security issues, and we could then just upgrade to that version. pkgsrc tries hard to keep track of versions that are affected by various issues (usually captured by a CVE code). When a package is patched for that CVE, we adjust the entry in pkg-vulnerabilities. To help keep track of which are patched and which are not, we try to have comments in the patch files (before the diff hunks) that say 1) what the patch does, and for security patches to give the CVE ref and 2) where the patch came from. Often a patch is taken from upstream svn/git/etc., and has been applied to head or a release branch after the latest release. The reason your nb1 is still being flagged as vulnerable is that we haven't recorded that nb1 is ok, because we don't know about it, and even if so some other random change might produce a still-vulnerable nb1. It really is a simple application of the pattern in pkg-vulnerabilites. Also, I wonder how you are making patches. If you use mkpatches (from pkgtools/pkgdiff), it will create files with our more recent naming convention based on files names instead of -aa. The two current entries are arc<5.21enb2 insecure-temp-files http://www.zataz.net/adviso/arc-09052005.txt arc-[0-9]* directory-traversal https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 I'm guessing your fix is for the directory traversal issue. In general, if you have changes to pkgsrc that can just be applied after review, sending a patch to pkgsrc to this list is a good plan. Do you know if arc has released a fixed version? Might you be able to poke them to do that?
Description: PGP signature