Subject: Re: What to do about unfixed vulnerabilities?
To: Paul Hoffman <phoffman@proper.com>
From: Hisashi T Fujinaka <htodd@twofifty.com>
List: tech-pkg
Date: 10/23/2000 09:19:15
On Mon, 23 Oct 2000, Paul Hoffman wrote:

> The new audit-packages package is quite nice, and thanks for the work 
> that went into it. I run it, and it tells me:
> 
>      Package pine-4.21 has a denial-of-service vulnerability,
>      see http://www.securityfocus.com/advisories/2646
> 
> Yes, but pine-4.21 is the current version of pine. Maybe you can put 
> a note in the NetBSD vulnerability list explaining either (a) where 
> in pkgsrc to get the update or (b) don't bother to look, it hasn't 
> been fixed yet.

In general, the answer is (b), but I think the netbsd version was
patched. I can't find a new or beta version on the official pine
site. Maybe Mark Crispin isn't convinced he's done anything wrong (again).

-- 
Hisashi T Fujinaka - htodd@twofifty.com
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte