Subject: Uselessness of audit-packages vs stable pkgsrc branch
To: None <pkgsrc-users@NetBSD.org>
From: Rhialto <rhialto@falu.nl>
List: pkgsrc-users
Date: 12/14/2007 11:48:13
Audit-packages is currently reporting a lot of vulnerabilities:

Package ffmpeg-0.4.9pre1nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800
Package vlc-0.8.5nb6 has a arbitrary-code-execution vulnerability, see http://www.videolan.org/sa0701.html
Package openldap-server-2.3.38 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
Package flac-1.1.3nb1 has a arbitrary-code-execution vulnerability, see http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=608
Package wireshark-0.99.6 has a denial-of-service vulnerability, see http://www.wireshark.org/security/wnpa-sec-2007-03.html
Package php-5.2.4nb3 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
Package firefox-2.0.0.8 has a cross-site-scripting vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
Package firefox-2.0.0.8 has a memory-corruption vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
Package firefox-2.0.0.8 has a cross-site-request-forgery vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-39.html
Package cairo-1.4.10 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503

but what is the point of this when there are NO updates for ANY of these
in the stable pkgsrc-2007Q3 branch?

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert      -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl        -- Cetero censeo "authored" delendum esse.