On Tue, Oct 02, 2007 at 12:46:30PM -0500, M Graff wrote:
> ===> Checking for vulnerabilities in firefox-2.0.0.7
> Package firefox-2.0.0.7 has a remote-information-exposure vulnerability,
> see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
> ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in
> audit-packages.conf(5) if this package is absolutely essential.
> 
> The version that URL refers to is ancient:

> Is 2.0.0.7 still insecure, or is this a mistake in an overly-zealous match?

This was brought up a few months ago:
http://mail-index.netbsd.org/pkgsrc-users/2007/07/28/0005.html

The referenced http://secunia.com/advisories/20442 page still lists it
as Unpatched, although I couldn't get the demo at
http://lcamtuf.coredump.cx/focusbug/ to work with 2.0.0.7 (it worked for
me with 2.0). So perhaps it's been fixed? However, I didn't spot anything
in http://www.mozilla.org/projects/security/known-vulnerabilities.html
that said this was fixed.

-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 31 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++