Subject: Re: Pkg sources that have exploits and I'd like updated
To: Ryan La Riviere <>
From: Thomas Klausner <>
List: tech-pkg
Date: 03/04/2003 17:38:48
On Tue, Mar 04, 2003 at 11:28:48AM -0500, Ryan La Riviere wrote:
> I have several packages that I run on my server that I'd like to be able to
> update to the latest versions but the source is not current (and I'm not
> adept at updating the packages to make them current).  Additionally, the
> package's source are versions that have exploits.
> The following is the output from `audit-packages`:
> Package libmcrypt-2.4.22 has a remote-user-shell vulnerability, see

Noone did the update for this one yet, but ...

> Package openssl-0.9.6g has a weak-encryption vulnerability, see

openssl-0.9.6gnb1 is in pkgsrc.

> Package php-4.1.2 has a remote-code-execution vulnerability, see

php-4.2.3nb2 is in pkgsrc.

> Package sendmail-8.12.6nb1 has a remote-code-execution vulnerability, see

sendmail-8.12.8 is in pkgsrc.

Just get a newer pkgsrc (e.g. from anoncvs) and update.