pkgsrc-users: Re: Uselessness of audit-packages vs stable pkgsrc branch

Subject: Re: Uselessness of audit-packages vs stable pkgsrc branch
To: Rhialto <rhialto@falu.nl>
From: Adrian Portelli <adrianp@stindustries.net>
List: pkgsrc-users
Date: 12/14/2007 11:15:43

Rhialto wrote:
> Audit-packages is currently reporting a lot of vulnerabilities:
> 
> Package ffmpeg-0.4.9pre1nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800
> Package vlc-0.8.5nb6 has a arbitrary-code-execution vulnerability, see http://www.videolan.org/sa0701.html
> Package openldap-server-2.3.38 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
> Package flac-1.1.3nb1 has a arbitrary-code-execution vulnerability, see http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=608
> Package wireshark-0.99.6 has a denial-of-service vulnerability, see http://www.wireshark.org/security/wnpa-sec-2007-03.html
> Package php-5.2.4nb3 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
> Package firefox-2.0.0.8 has a cross-site-scripting vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
> Package firefox-2.0.0.8 has a memory-corruption vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
> Package firefox-2.0.0.8 has a cross-site-request-forgery vulnerability, see http://www.mozilla.org/security/announce/2007/mfsa2007-39.html
> Package cairo-1.4.10 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503
> 
> but what is the point of this when there are NO updates for ANY of these
> in the stable pkgsrc-2007Q3 branch?
> 
> -Olaf.

There are multiple reasons really why you will sometime experience this:

1) Your pkgsrc-stable is out of date (php was pulled up on the 5th December)
2) Sometimes we know about vulnerabilities and there is no fix currently
available (e.g. WireShark 0.99.7 has not been released yet AFAIK)
3) For certain package (e.g. PHP) I'm very hesitant of rushing a patch
from HEAD into stable.  In my mind we call it stable for a reason so I
usually apply patches to HEAD, wait for the dust to settle, then request
the pullups.
4) Sometimes, usually late in the quarter, it can take a lot of effort
to get the right patches submitted as there can be more of a difference
between HEAD and stable.

All these, and more, result in delays of pullups to stable.  We do care
about the stable branch and reminders are sent to MAINTAINERS (when they
exist) to request pullups.

HTH,

adrian.