pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc-2017Q1 released

Thanks for sending the patch.

There is a vast amount of work to keep up with security issues on a vast
number of upstream packages.   Ideally each upstream would release a new
micro-version when there are security issues, and we could then just
upgrade to that version.

pkgsrc tries hard to keep track of versions that are affected by various
issues (usually captured by a CVE code).  When a package is patched for
that CVE, we adjust the entry in pkg-vulnerabilities.  To help keep
track of which are patched and which are not, we try to have comments in
the patch files (before the diff hunks) that say 1) what the patch does,
and for security patches to give the CVE ref and 2) where the patch came
from.  Often a patch is taken from upstream svn/git/etc., and has been
applied to head or a release branch after the latest release.

The reason your nb1 is still being flagged as vulnerable is that we
haven't recorded that nb1 is ok, because we don't know about it, and
even if so some other random change might produce a still-vulnerable
nb1.  It really is a simple application of the pattern in

Also, I wonder how you are making patches.  If you use mkpatches (from
pkgtools/pkgdiff), it will create files with our more recent naming
convention based on files names instead of -aa.

The two current entries are

arc<5.21enb2            insecure-temp-files   
arc-[0-9]*              directory-traversal   

I'm guessing your fix is for the directory traversal issue.

In general, if you have changes to pkgsrc that can just be applied after
review, sending a patch to pkgsrc to this list is a good plan.

Do you know if arc has released a fixed version?  Might you be able to
poke them to do that?

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index