by mail.netbsd.org with SMTP; 23 Oct 2000 16:13:24 -0000
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA15977;
	Mon, 23 Oct 2000 09:07:48 -0700 (PDT)
Mime-Version: 1.0
Message-Id: <p0501047cb61a1312ed65@[165.227.249.17]>
Date: Mon, 23 Oct 2000 09:12:21 -0700
To: tech-pkg@netbsd.org, tech-security@netbsd.org
From: Paul Hoffman <phoffman@proper.com>
Subject: What to do about unfixed vulnerabilities?
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

The new audit-packages package is quite nice, and thanks for the work 
that went into it. I run it, and it tells me:

     Package pine-4.21 has a denial-of-service vulnerability,
     see http://www.securityfocus.com/advisories/2646

Yes, but pine-4.21 is the current version of pine. Maybe you can put 
a note in the NetBSD vulnerability list explaining either (a) where 
in pkgsrc to get the update or (b) don't bother to look, it hasn't 
been fixed yet.