pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/42688: old acroread packages should be removed, because of security risks
>Number: 42688
>Category: pkg
>Synopsis: old acroread packages should be removed, because of security
>risks
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Jan 29 00:05:00 +0000 2010
>Originator: SODA Noriyuki
>Release: NetBSD 5.0.1
>Organization:
>Environment:
System: NetBSD heab 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC
2009
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC
i386
Architecture: i386
Machine: i386
>Description:
acroread, acroread5, acroread7, and acroread8 packages
should be removed from pkgsrc. because:
- All of them have severe security holes.
- All of them are not maintained anymore.
from http://rhn.redhat.com/errata/RHSA-2010-0060.html
> Adobe have discontinued support for Adobe Reader 8 for Linux.
- There are several alternative PDF readers which are usable.
e.g. epdfview, evince, ... (acroread 9 is desirable too, though)
- The risks to continue to use these packages are high.
There are lots of 0-days attacks against Acrobat reader
(and Flashplayer) these days.
And even trustworthy web sites are not really trustworthly these days
due to the Gumblar virus and its variants which steal passwords
of web admins.
And antivirus vendors claim that there is a treat of PDF viruses
against linux too:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-0125-99
Since acroread is a linux binary, nearly all PDF viruses against
linux do work against NetBSD too, unless the virus relies on a
linux-specific kernel hole.
If it's a TeX source file, security risks could be practically
avoided by knowledgeable users. But the risks about PDF files
cannot be avoided even by knowledgeable users these days.
- Having them in pkgsrc gives false impression to our users
that there is a secure way to continue to use them.
>How-To-Repeat:
>Fix:
cvs remove && cvs ci
Home |
Main Index |
Thread Index |
Old Index