Subject: Re: What to do about unfixed vulnerabilities?
To: None <agc@pkgsrc.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-security
Date: 10/23/2000 14:34:37
by mail.netbsd.org with SMTP; 23 Oct 2000 18:34:43 -0000
id BD0472A2A; Mon, 23 Oct 2000 14:34:42 -0400 (EDT)
by orchard.arlington.ma.us (Postfix) with ESMTP
id ABDEC1FCD; Mon, 23 Oct 2000 14:34:42 -0400 (EDT)
To: agc@pkgsrc.org
Cc: Paul Hoffman <phoffman@proper.com>, tech-pkg@netbsd.org,
tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities?
In-Reply-To: Message from Alistair Crooks <AlistairCrooks@excite.com>
of "Mon, 23 Oct 2000 09:45:20 PDT." <20911897.972319520349.JavaMail.imail@prickles>
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Mon, 23 Oct 2000 14:34:37 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20001023183442.BD0472A2A@orchard.arlington.ma.us>
> I agree, however, that the version numbering may be obscure - we should
> perhaps change the vulnerability list to reflect the first version which is
> safe, rather than the last vulnerable version, to make it obvious what's
> going on.
> i.e. pine<4.21nb1, rather than pine<=4.21
agreed, at least when a fixed package exists in pkgsrc; the message
can then say "Versions of the pine package older than 4.21nb1 have a ..."
- Bill