On Mon, 23 Oct 2000 09:12:21 -0700, Paul Hoffman wrote:

>  The new audit-packages package is quite nice, and thanks for the work 
>  that went into it. I run it, and it tells me:
>  
>       Package pine-4.21 has a denial-of-service vulnerability,
>       see http://www.securityfocus.com/advisories/2646
>  
>  Yes, but pine-4.21 is the current version of pine. Maybe you can put 
>  a note in the NetBSD vulnerability list explaining either (a) where 
>  in pkgsrc to get the update or (b) don't bother to look, it hasn't 
>  been fixed yet.

Thanks - the cvs log for the pine Makefile tells me that the advisory in
http://www.securityfocus.com/advisories/2646 was fixed in version 1.35 of
the Makefile on September 9th 2000 by hubertf. You don't need cvs access to
find this out - you can view it from the cvsweb interface
(http://cvsweb.netbsd.org/bsdweb.cgi/).

I agree, however, that the version numbering may be obscure - we should
perhaps change the vulnerability list to reflect the first version which is
safe, rather than the last vulnerable version, to make it obvious what's
going on.

i.e. pine<4.21nb1, rather than pine<=4.21

Regards,
Al 

--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html