Subject: Re: Pkg sources that have exploits and I'd like updated
To: Thomas Klausner <>
From: Ryan La Riviere <>
List: tech-pkg
Date: 03/04/2003 13:29:48
On 03/04/2003 11:38, "Thomas Klausner" <> wrote:

> On Tue, Mar 04, 2003 at 11:28:48AM -0500, Ryan La Riviere wrote:
>> I have several packages that I run on my server that I'd like to be able to
>> update to the latest versions but the source is not current (and I'm not
>> adept at updating the packages to make them current).  Additionally, the
>> package's source are versions that have exploits.
>> The following is the output from `audit-packages`:
>> Package libmcrypt-2.4.22 has a remote-user-shell vulnerability, see
> Noone did the update for this one yet, but ...
>> Package openssl-0.9.6g has a weak-encryption vulnerability, see
> openssl-0.9.6gnb1 is in pkgsrc.

This was listed on the openssl page:
 openssl<0.9.6gnb1 has a weak-encryption exploit (see for more details)

>> Package php-4.1.2 has a remote-code-execution vulnerability, see
> php-4.2.3nb2 is in pkgsrc.

This was listed on the php4 page:
 php<4.2.3nb2 has a remote-code-execution exploit (see for more

>> Package sendmail-8.12.6nb1 has a remote-code-execution vulnerability, see
> sendmail-8.12.8 is in pkgsrc.
> Just get a newer pkgsrc (e.g. from anoncvs) and update.

I had just used sup this morning and sendmail is still at 8.12.6.  Also, the
web site still reflects that 8.12.6 is current.  When was sendmail updated
to 8.12.8?

I'm running sup again just to make sure.



Mr. Ryan La Riviere
Project Manager; Mechanical Engineering and Mechanics
College of Engineering; Drexel University
Philadelphia, PA 19104

IM (AIM, Yahoo, MSN): edljedi
w: 215.895.6460
Finger for Geek Code: finger -l

Never stand between a fire hydrant and a dog.