Re: [HEADSUP] Removing vulnerable packages

["OBATA Akio" <obache%netbsd.org@localhost>]

On Fri, 01 Apr 2011 22:55:19 +0900, Thomas Klausner <wiz%netbsd.org@localhost> 
wrote:

> On Fri, Apr 01, 2011 at 10:33:04PM +0900, OBATA Akio wrote:
> > On Fri, 01 Apr 2011 21:02:32 +0900, Thomas Klausner <wiz%netbsd.org@localhost> 
> > wrote:
> > >Oh no. Can we rename one of them?
> >
> > Hmm, After some digging...
> > www/ap-auth-mysql
> >   From debian/copyright, it seemes that it is debianised (and folk?) of 
> > following:
> >   http://mod-auth-mysql.sourceforge.net/
> > www/ap2-auth-mysql
> >   upstream dead.
> >   From CHANGES, it seems that following is successor (or folk) of it.
> >   http://modauthmysql.sourceforge.net/
>
> So the dead version has the security issue?
> Then we can remove it and fix the pattern so it doesn't match the less
> dead one :)

Unfortunately, vulnerable one is www/ap-auth-mysql.

> > Debian's
> >   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987
> > RedHat's
> >   https://bugzilla.redhat.com/show_bug.cgi?id=492589
> >
> > I'm not a bash user.
> > I could reproduced some of them, but I cannot check all of them.
>
> Debian closed their bug report in 2009, so if we update to the latest
> 1.3, we should be fine to. (I'm not gonna do the update.)

Thanks.

--
OBATA Akio / obache%NetBSD.org@localhost