[cross-posting to the pkgsrc-user list where I believe it should go]

Brian Buhrow wrote:
> 	Hello.  My wife would like to convert her ancient laptop to NetBSD.
> Now, I'm looking at the pkgsrc tree, as of 2006Q3, and I see that firefox
> is in there, but the version is 1.5.0.7,
> but that this version has several security holes.  What are others doing to
> get graphical browsers under NetBSD?  Do folks just not use the pkgsrc tree
> to build a browser, or must I update my pkgsrc tree to the absolutely
> latest of the moment to get the current firefox browser?

At the moment the "audit-packages" command from pkgsrc has just one
vulnerability listed:
Package firefox-1.5.0.7 has a remote-information-exposure vulnerability,
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894

However you are correct and there are more. It is really difficult (if
not impossible) to get this information from the official mozilla
website. Accessing the source code archives is not that good either: a
light gray on white link at the bottom of the "Other systems &
languages" page, followed by a directory listing...

Anyway, I had a look there:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=1.5.0.8
and it mentions "unspecified vulnerabilities" and "arbitrary code
execution". It makes one wonder, I agree :)

Now for your question, there is clearly an issue here. The solution I
chose for myself is to update my pkgsrc tree and re-compile firefox
every now and then, but your girlfriend's laptop is not a Core duo I
guess :/
You can also try to run the official linux binaries with binary
emulation, which should still be as stable and almost as fast as it
would be on linux.

I am not a pkgsrc-guru however, and there may be more obvious solutions
that I failed to think about. IMHO, we would benefit from binary
upgrades for the packages found vulnerable.

HTH,
-- 
khorben