On Sat, 18 Jul 2009 22:54:28 +0200
Joerg Sonnenberger<joerg%britannica.bec.de@localhost> wrote:
On Fri, Jul 17, 2009 at 11:25:25PM -0400, Steven M. Bellovin wrote:
in /etc/pkg_install.conf; when I check it via
# pkg_admin config-var IGNORE_URL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889
some-other-advisory
A better check would be "pkg_admin audit-pkg pidgin-2.5.7", just as
reference.
Good point.
I get what seems to be the right answer. Nevertheless, when I try
to build it the system complains about the vulnerability:
Do you have pkg_install installed from pkgsrc? That would use
${PREFIX}/etc/pkg_install.conf.
That was it, but it raises two more questions.
First -- why did pkg_admin find the copy in /etc, when 'make' did not?
Before I created the file, I actually checked the man page, which
specified /etc; I then ran pkg_admin to double-check. Let me amend
that: I know why, in the sense that /usr/sbin/pkg_admin is found first
via my $PATH. But why isn't the tool in pkgsrc using $PATH as well?
Second -- this distinction looks troublesome down the road. Normally,
I don't install pkg_install from pkgsrc; presumably, that means that
the copy in /etc would be checked. But sometimes, pkgsrc itself is
updated enough that 'make' fails until I update my package tools -- at
which point everything is going to look for a different copy. Or am I
missing something?