Subject: Re: What to do about unfixed vulnerabilities?
To: Paul Hoffman <>
From: Alistair Crooks <>
List: tech-pkg
Date: 10/23/2000 09:45:20
On Mon, 23 Oct 2000 09:12:21 -0700, Paul Hoffman wrote:

>  The new audit-packages package is quite nice, and thanks for the work 
>  that went into it. I run it, and it tells me:
>       Package pine-4.21 has a denial-of-service vulnerability,
>       see
>  Yes, but pine-4.21 is the current version of pine. Maybe you can put 
>  a note in the NetBSD vulnerability list explaining either (a) where 
>  in pkgsrc to get the update or (b) don't bother to look, it hasn't 
>  been fixed yet.

Thanks - the cvs log for the pine Makefile tells me that the advisory in was fixed in version 1.35 of
the Makefile on September 9th 2000 by hubertf. You don't need cvs access to
find this out - you can view it from the cvsweb interface

I agree, however, that the version numbering may be obscure - we should
perhaps change the vulnerability list to reflect the first version which is
safe, rather than the last vulnerable version, to make it obvious what's
going on.

i.e. pine<4.21nb1, rather than pine<=4.21


Alistair Crooks (

Say Bye to Slow Internet!