On Tue, Mar 04, 2003 at 01:29:48PM -0500, Ryan La Riviere wrote:
> > openssl-0.9.6gnb1 is in pkgsrc.
> 
> This was listed on the openssl page:
>  openssl<0.9.6gnb1 has a weak-encryption exploit (see
> http://www.openssl.org/news/secadv_20030219.txt for more details)

Yes, < meaning that 0.9.6gnb1 is _not_ vulnerable.

> >> Package php-4.1.2 has a remote-code-execution vulnerability, see
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
> > 
> > php-4.2.3nb2 is in pkgsrc.
> 
> This was listed on the php4 page:
>  php<4.2.3nb2 has a remote-code-execution exploit (see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 for more
> details)

Same as above, 4.2.3nb2 is _not_ vulnerable.

> > sendmail-8.12.8 is in pkgsrc.
> > 
> > Just get a newer pkgsrc (e.g. from anoncvs) and update.
> 
> I had just used sup this morning and sendmail is still at 8.12.6.  Also, the
> web site still reflects that 8.12.6 is current.  When was sendmail updated
> to 8.12.8?

# $NetBSD: Makefile,v 1.56 2003/03/04 00:21:31 seb Exp $

> I'm running sup again just to make sure.
> 

I'm not sure how often the sup-scanner runs, but I guess by tomorrow you should
have up-to-date versions of them all.

 Thomas