Subject: updating vulnerable package in pkgsrc (gimp24)
To: None <>
From: Anne Bennett <>
List: tech-security
Date: 07/28/2007 16:04:10

I wanted to install gimp24 from pkgsrc-2007Q2, but "make fetch"
stopped me with an error explaining that the version I had (2.3.18)
had a security vulnerability.  The documentation at
suggests that the latest version is 2.3.18nb1, not 2.3.18.

I tried "cd /usr/pkgsrc; cvs -q update -dP", but it has not picked up
any updates since a run earlier this morning.  I was finally able to get
an updated version of gimp24 by downloading the pkgsrc-current tarball.

*Should* my "cvs" operation have picked up an updated version of gimp24,
or am I going about this all wrong?  The release announcement said that
"continuing engineering starts on the pkgsrc-2007Q2 release", and the
tarball does seem to get updated weekly or so, so I had the impression
that I should be able to pick up this update.  Perhaps I just tried at the
wrong moment, but gimp24 in pkgsrc-current seems to have been updated on
July 5, so I wonder if someone missed porting that update back to 2007Q2.

I don't have a deep understanding of what changes are or are not
included in released software trees, so I apologize if I seem to be
making unreasonable demands; such is not my intention.

Anne Bennett.