Re: [HEADSUP] Removing vulnerable packages

[Roger Brooks <R.S.Brooks%liverpool.ac.uk@localhost>]

On 04/08/11 12:20, Thomas Klausner wrote:
> Here's an update to my list of last week:
>
> On Fri, Apr 01, 2011 at 11:47:30AM +0200, Thomas Klausner wrote:
>    
> > The packages listed below were marked as vulnerable on January 1, 2010
> > and still marked as vulnerable on April 1, 2011, while having no version
> > number updates (except for PKGREVISION bumps) in the meantime.[1]
> >
> > Please speak up if you are currently using one of them.
> > If you speak up, please think about providing patches to fix the
> > security issues (though it's not a requirement).
> >
> > I'll remove packages for which noone spoke up after the branch is cut,
> > but at the earliest two weeks from now.
> > This might also cause the removal of dependencies if the package
> > contains a library or is a dependency for another reason.
> >      
> For these packages noone has spoken up:
>
> RealPlayerGold-10.0.9.809.20070726
> acroread-4.05
> acroread5-5.10
> acroread7-7.0.9
> adobe-flash-plugin-10.0.0.525
> amaya-10.0.1
> asp2php-0.76.17
> aview-1.3.0.1
> bugzilla-2.22.7
> bugzilla-3.2.4
> camlimages-2.2.0
> cyrus-imapd-2.1.18
> firefox-bin-flash-9.0.124
> fwbuilder-2.0.12
> fwbuilder21-2.1.19
> gpsdrive-1.31
> instiki-0.9.2
> jakarta-tomcat4-4.1.30
> jakarta-tomcat5-5.0.30
> libxml-1.8.17
> mailscanner-4.30.3.2
> mgv-3.1.5
> newt-0.51.6
> ntop-1.1
> quake3arena-1.32b
> quake3server-1.32b
> roundup-1.4.6
> sarg-2.1
> squidGuard-1.4
> synce-dccm-0.9.1
> tkman-2.2
> trickle-1.06
> tunapie-2.1.6
> vlc08-0.8.6i
> zope210-2.10.7
> zope211-2.11.2
> zope29-2.9.10
> zope3-3.3.1
>
>
> Spoken for:
> acroread8-8.1.7
> automake14-1.4.6
> bash-completion-1.0
> compat14-1.4.3
> compat15-1.5.3
> crossfire-server-1.11.0
> gdb-6.2.1
> kdegraphics-3.5.10
> kdelibs-3.5.10
> lmbench-2.11a
> mutt-1.4.2.3
> netbsd32_compat15-1.5.3
> pdfjam-1.20
> prelude-manager-0.9.15
> suse32_freetype2-10.0
> suse32_gtk2-10.0
> suse32_libcups-10.0
> suse32_openssl-10.0
> suse_freetype2-10.0
> suse_gtk2-10.0
> suse_libcups-10.0
> suse_openssl-10.0
> userppp-001107
> wxGTK-2.6.3
> wxGTK24-2.4.2
> xdg-utils-1.0.2
> xemacs-21.5.27
> xemacs-nox11-21.5.27
> xentools3-3.1.4
>
> Fixed:
> ap22-auth-mysql-4.3.1
> blender-2.49b
> kadu-0.5.0
> mpop-1.0.12
> putty-0.6.20090906
> snort-2.8.3.1
> xmp-2.5.1
>
> Incorrectly on the list:
> ap22-auth-mysql-1.11.12
> freetype-1.5
>
>   Thomas
>    

AFAIK, adobe-flash-plugin-10.0.0.525 is the only flash plugin available which 
will work on NetBSD.  Removing it is going to force many of us who use NetBSD 
desktops to switch to Linux.  My understanding is that newer versions of flash 
require linux emulation to be brought up to date.

Roger