pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/50082 (suse131 packages are outdated)



> Committed, thank you.
> Can you please send a patch for the pkg-vulnerabilities file?

Thank you for your commit.

As a precaution, I tried to confirm that a vulnerability recorded in
pkg-vulnerabilities file, CVE-2014-4043, is actually resolved.

The result is *very disappointing*. As I could not find their commit
log for this vulnerability, I executed a test code obtained from

  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-4043

and found this vulnerability remains! I also checked it on openSUSE
13.1 installed in a virtual machine. In conclusion, openSUSE community
leaves the well-known vulnerability in their supported branch.

Unfortunately, we can no longer trust packages provided by openSUSE.
We may have two options, (1) check and fix every vulnerabilities for
openSUSE, or (2) switch to a more reliable distribution. Both seem
very hard though....


Home | Main Index | Thread Index | Old Index