Subject: RE: Where is gtk2+>=2.2.4nb2
To: Ib-Michael Martinsen <imm@nethotel.dk>
From: David H.Gutteridge <dhgutteridge@sympatico.ca>
List: port-i386
Date: 12/06/2004 20:11:43
Those issues should be fixed in 2.4.10 (the advisories I looked at listed 2.4.4, but the NetBSD security team has it at 2.4.10), current (HEAD) pkgsrc is at 2.4.14.

If you don't currently use the audit-packages package, I strongly recommend it, it's very handy.  It's under security/audit-packages in pkgsrc.  Whether you always choose to heed its warnings or not, it's good to know about them.

Dave

> From: Ib-Michael Martinsen <imm@nethotel.dk>
> Date: 2004/12/06 Mon AM 09:22:39 EST
> To: "David H.Gutteridge" <dhgutteridge@sympatico.ca>
> CC: <port-i386@NetBSD.org>
> Subject: RE: Where is gtk2+>=2.2.4nb2
> 
> Hi David, you wrote:
> 
>  > gtk2 versions prior to 2.4.4 have security issues with them, so I
>  > gather the NetBSD team removed the binary packages that shipped
>  > with prior releases.  (The ISO image they shipped for 1.6.2/i386
>  > with packages included 2.2.4 without the nb2 patch level, I just
>  > looked at it.)  So the way to get it is to build it using pkgsrc.
> 
> Thank you for the response. Actually I found the library on a
> mirror-server (ftp.dk.netbsd.dk. I should get used to use the local
> server instead of the main server, but many times the local server is
> not up to date), but it turned out that too many of my other packages
> were also not up-to-date, so I ended up with an older version of gtk2+
> and audacity, which are working.
> 
> What is the point in re-compiling the package from source. Wouldn't
> you end up with the same security issues or have they been fixed now?
> 
> Kind regards
>   Ib-Michael Martinsen
> 
> -- 
> email at home: imm(at)nethotel.dk
> Running NetBSD/i386 v1.6.2
>