Subject: error in vulnerability list re: latest firefox
To: None <pkgsrc-users@netbsd.org>
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
List: pkgsrc-users
Date: 07/28/2007 16:54:56
Hi, all.
I'm trying to install firefox (2.0.0.5) from pkgsrc-current, but "make
fetch" complains about CVE-2006-2894, which I'm fairly sure was
addressed several versions ago. I think that the problem is that
the entry in the vulnerability list needs to be updated. There are
four lines that refer to the problem:
firefox{,2}{,-bin,-gtk1}-[0-9]* remote-information-exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
seamonkey{,-bin,-gtk1}-[0-9]* remote-information-exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
mozilla{,-bin,-gtk2}-[0-9]* remote-information-exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
netscape7-[0-9]* remote-information-exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
... but I'm pretty sure that firefox (formerly known as firefox2) and
seamonkey have had that fixed in the past few releases.
For now I'll work around with ALLOW_VULNERABLE_PACKAGES.
Anne Bennett.