Subject: Re: Pkg sources that have exploits and I'd like updated
To: Ryan La Riviere <firstname.lastname@example.org>
From: Thomas Klausner <email@example.com>
Date: 03/04/2003 19:57:57
On Tue, Mar 04, 2003 at 01:29:48PM -0500, Ryan La Riviere wrote:
> > openssl-0.9.6gnb1 is in pkgsrc.
> This was listed on the openssl page:
> openssl<0.9.6gnb1 has a weak-encryption exploit (see
> http://www.openssl.org/news/secadv_20030219.txt for more details)
Yes, < meaning that 0.9.6gnb1 is _not_ vulnerable.
> >> Package php-4.1.2 has a remote-code-execution vulnerability, see
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
> > php-4.2.3nb2 is in pkgsrc.
> This was listed on the php4 page:
> php<4.2.3nb2 has a remote-code-execution exploit (see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 for more
Same as above, 4.2.3nb2 is _not_ vulnerable.
> > sendmail-8.12.8 is in pkgsrc.
> > Just get a newer pkgsrc (e.g. from anoncvs) and update.
> I had just used sup this morning and sendmail is still at 8.12.6. Also, the
> web site still reflects that 8.12.6 is current. When was sendmail updated
> to 8.12.8?
# $NetBSD: Makefile,v 1.56 2003/03/04 00:21:31 seb Exp $
> I'm running sup again just to make sure.
I'm not sure how often the sup-scanner runs, but I guess by tomorrow you should
have up-to-date versions of them all.