Subject: updating vulnerable package in pkgsrc (gimp24)
To: None <tech-security@NetBSD.org>
From: Anne Bennett <firstname.lastname@example.org>
Date: 07/28/2007 16:04:10
I wanted to install gimp24 from pkgsrc-2007Q2, but "make fetch"
stopped me with an error explaining that the version I had (2.3.18)
had a security vulnerability. The documentation at
suggests that the latest version is 2.3.18nb1, not 2.3.18.
I tried "cd /usr/pkgsrc; cvs -q update -dP", but it has not picked up
any updates since a run earlier this morning. I was finally able to get
an updated version of gimp24 by downloading the pkgsrc-current tarball.
*Should* my "cvs" operation have picked up an updated version of gimp24,
or am I going about this all wrong? The release announcement said that
"continuing engineering starts on the pkgsrc-2007Q2 release", and the
tarball does seem to get updated weekly or so, so I had the impression
that I should be able to pick up this update. Perhaps I just tried at the
wrong moment, but gimp24 in pkgsrc-current seems to have been updated on
July 5, so I wonder if someone missed porting that update back to 2007Q2.
I don't have a deep understanding of what changes are or are not
included in released software trees, so I apologize if I seem to be
making unreasonable demands; such is not my intention.