On 03/04/2003 13:57, "Thomas Klausner" <wiz@netbsd.org> wrote:

> On Tue, Mar 04, 2003 at 01:29:48PM -0500, Ryan La Riviere wrote:
>>> openssl-0.9.6gnb1 is in pkgsrc.
>> 
>> This was listed on the openssl page:
>>  openssl<0.9.6gnb1 has a weak-encryption exploit (see
>> http://www.openssl.org/news/secadv_20030219.txt for more details)
> 
> Yes, < meaning that 0.9.6gnb1 is _not_ vulnerable.

Sorry...read it wrong...in my mind I threw and = after the <

>>>> Package php-4.1.2 has a remote-code-execution vulnerability, see
>>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
>>> 
>>> php-4.2.3nb2 is in pkgsrc.
>> 
>> This was listed on the php4 page:
>>  php<4.2.3nb2 has a remote-code-execution exploit (see
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 for more
>> details)
> 
> Same as above, 4.2.3nb2 is _not_ vulnerable.

Ditto.

>>> sendmail-8.12.8 is in pkgsrc.
>>> 
>>> Just get a newer pkgsrc (e.g. from anoncvs) and update.
>> 
>> I had just used sup this morning and sendmail is still at 8.12.6.  Also, the
>> web site still reflects that 8.12.6 is current.  When was sendmail updated
>> to 8.12.8?
> 
> # $NetBSD: Makefile,v 1.56 2003/03/04 00:21:31 seb Exp $
> 
>> I'm running sup again just to make sure.
>> 
> 
> I'm not sure how often the sup-scanner runs, but I guess by tomorrow you
> should
> have up-to-date versions of them all.

So it's not as real time as I would have thought.  That's fine.  I can wait
until tomorrow.

Thanks for your help and I'll try to not throw ='s after <'s from now on.
:) 

-Ryan

-- 
Mr. Ryan La Riviere
Project Manager; Mechanical Engineering and Mechanics
College of Engineering; Drexel University
Philadelphia, PA 19104

hp: http://staff.tdec.drexel.edu/~edljedi
IM (AIM, Yahoo, MSN): edljedi
w: 215.895.6460
Finger for Geek Code: finger -l larz@cbis.ece.drexel.edu

One thing the hardware engineers just can't seem to get the bugs out of
is... fresh paint.