Subject: Re: Pkg sources that have exploits and I'd like updated
To: Thomas Klausner <>
From: Ryan La Riviere <>
List: tech-pkg
Date: 03/04/2003 14:32:05
On 03/04/2003 13:57, "Thomas Klausner" <> wrote:

> On Tue, Mar 04, 2003 at 01:29:48PM -0500, Ryan La Riviere wrote:
>>> openssl-0.9.6gnb1 is in pkgsrc.
>> This was listed on the openssl page:
>>  openssl<0.9.6gnb1 has a weak-encryption exploit (see
>> for more details)
> Yes, < meaning that 0.9.6gnb1 is _not_ vulnerable. it my mind I threw and = after the <

>>>> Package php-4.1.2 has a remote-code-execution vulnerability, see
>>> php-4.2.3nb2 is in pkgsrc.
>> This was listed on the php4 page:
>>  php<4.2.3nb2 has a remote-code-execution exploit (see
>> for more
>> details)
> Same as above, 4.2.3nb2 is _not_ vulnerable.


>>> sendmail-8.12.8 is in pkgsrc.
>>> Just get a newer pkgsrc (e.g. from anoncvs) and update.
>> I had just used sup this morning and sendmail is still at 8.12.6.  Also, the
>> web site still reflects that 8.12.6 is current.  When was sendmail updated
>> to 8.12.8?
> # $NetBSD: Makefile,v 1.56 2003/03/04 00:21:31 seb Exp $
>> I'm running sup again just to make sure.
> I'm not sure how often the sup-scanner runs, but I guess by tomorrow you
> should
> have up-to-date versions of them all.

So it's not as real time as I would have thought.  That's fine.  I can wait
until tomorrow.

Thanks for your help and I'll try to not throw ='s after <'s from now on.


Mr. Ryan La Riviere
Project Manager; Mechanical Engineering and Mechanics
College of Engineering; Drexel University
Philadelphia, PA 19104

IM (AIM, Yahoo, MSN): edljedi
w: 215.895.6460
Finger for Geek Code: finger -l

One thing the hardware engineers just can't seem to get the bugs out of
is... fresh paint.