Subject: Re: Pkg sources that have exploits and I'd like updated
To: Thomas Klausner <email@example.com>
From: Ryan La Riviere <firstname.lastname@example.org>
Date: 03/04/2003 14:32:05
On 03/04/2003 13:57, "Thomas Klausner" <email@example.com> wrote:
> On Tue, Mar 04, 2003 at 01:29:48PM -0500, Ryan La Riviere wrote:
>>> openssl-0.9.6gnb1 is in pkgsrc.
>> This was listed on the openssl page:
>> openssl<0.9.6gnb1 has a weak-encryption exploit (see
>> http://www.openssl.org/news/secadv_20030219.txt for more details)
> Yes, < meaning that 0.9.6gnb1 is _not_ vulnerable.
Sorry...read it wrong...in my mind I threw and = after the <
>>>> Package php-4.1.2 has a remote-code-execution vulnerability, see
>>> php-4.2.3nb2 is in pkgsrc.
>> This was listed on the php4 page:
>> php<4.2.3nb2 has a remote-code-execution exploit (see
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 for more
> Same as above, 4.2.3nb2 is _not_ vulnerable.
>>> sendmail-8.12.8 is in pkgsrc.
>>> Just get a newer pkgsrc (e.g. from anoncvs) and update.
>> I had just used sup this morning and sendmail is still at 8.12.6. Also, the
>> web site still reflects that 8.12.6 is current. When was sendmail updated
>> to 8.12.8?
> # $NetBSD: Makefile,v 1.56 2003/03/04 00:21:31 seb Exp $
>> I'm running sup again just to make sure.
> I'm not sure how often the sup-scanner runs, but I guess by tomorrow you
> have up-to-date versions of them all.
So it's not as real time as I would have thought. That's fine. I can wait
Thanks for your help and I'll try to not throw ='s after <'s from now on.
Mr. Ryan La Riviere
Project Manager; Mechanical Engineering and Mechanics
College of Engineering; Drexel University
Philadelphia, PA 19104
IM (AIM, Yahoo, MSN): edljedi
Finger for Geek Code: finger -l firstname.lastname@example.org
One thing the hardware engineers just can't seem to get the bugs out of
is... fresh paint.