Subject: amd64 cvsup Re: rsync-2.6.9 has a remote-user-shell
To: None <>
From: George Georgalis <>
List: tech-pkg
Date: 10/08/2007 12:09:34
On Sun, Oct 07, 2007 at 07:42:24PM -0400, George Georgalis wrote:
>On Sun, Oct 07, 2007 at 06:34:03PM +0100, Adrian Portelli wrote:
>>George Georgalis wrote:
>>> I've been wondering about this audit-packages message...
>>> Package rsync-2.6.9 has a remote-user-shell vulnerability, see
>>> seems to be around a while. On the rsync list I found a patch.
>>> Can someone aply it?
>>> // George
>>This was fixed about 6 weeks ago by tron@ and the package was bumped to
>>2.6.9nb1.  The fix was also pulled up into the stable branch.
>oh, okay. it seems my cvs is updated but on several
>hosts, pkg_chk -un is not indicating an update is
>available. I'll take a closer look Monday.

The problem was propagating my local cvs mirror to various hosts.

Since amd64 cvsup is broken, there is not a good way (which I know
about) to get netbsd rcs files. I need a local mirror due to the
number of hosts on my nat. So I've been maintaining a checkout of
each of the various tags I need and propagating them to hosts on
my local nat. -- that process was broken.

Is amd64 cvsup expected working in Q3? Is there a better way to do
a local mirror on amd64? Is there a way to use cvs to checkout rcs

BTW - for determining which installed packages have an available
update, I've favored pkg_chk over lintpkgsrc because of fewer
dependencies (some of my hosts are minimal, small and slow; no
perl). Are pkg_chk and lintpkgsrc the two best choices?

// George

George Georgalis, information system scientist <IXOYE><