Subject: Re: What to do about unfixed vulnerabilities?
To: Paul Hoffman <email@example.com>
From: Alistair Crooks <AlistairCrooks@excite.com>
Date: 10/23/2000 09:45:20
On Mon, 23 Oct 2000 09:12:21 -0700, Paul Hoffman wrote:
> The new audit-packages package is quite nice, and thanks for the work
> that went into it. I run it, and it tells me:
> Package pine-4.21 has a denial-of-service vulnerability,
> see http://www.securityfocus.com/advisories/2646
> Yes, but pine-4.21 is the current version of pine. Maybe you can put
> a note in the NetBSD vulnerability list explaining either (a) where
> in pkgsrc to get the update or (b) don't bother to look, it hasn't
> been fixed yet.
Thanks - the cvs log for the pine Makefile tells me that the advisory in
http://www.securityfocus.com/advisories/2646 was fixed in version 1.35 of
the Makefile on September 9th 2000 by hubertf. You don't need cvs access to
find this out - you can view it from the cvsweb interface
I agree, however, that the version numbering may be obscure - we should
perhaps change the vulnerability list to reflect the first version which is
safe, rather than the last vulnerable version, to make it obvious what's
i.e. pine<4.21nb1, rather than pine<=4.21
Alistair Crooks (firstname.lastname@example.org)
Say Bye to Slow Internet!