Subject: Re: Pkg sources that have exploits and I'd like updated
To: Ryan La Riviere <larz@cbis.ece.drexel.edu>
From: Thomas Klausner <wiz@netbsd.org>
List: tech-pkg
Date: 03/04/2003 17:38:48
On Tue, Mar 04, 2003 at 11:28:48AM -0500, Ryan La Riviere wrote:
> I have several packages that I run on my server that I'd like to be able to
> update to the latest versions but the source is not current (and I'm not
> adept at updating the packages to make them current). Additionally, the
> package's source are versions that have exploits.
>
> The following is the output from `audit-packages`:
>
> Package libmcrypt-2.4.22 has a remote-user-shell vulnerability, see
> http://online.securityfocus.com/archive/1/305162/2003-01-01/2003-01-07/0
Noone did the update for this one yet, but ...
> Package openssl-0.9.6g has a weak-encryption vulnerability, see
> http://www.openssl.org/news/secadv_20030219.txt
openssl-0.9.6gnb1 is in pkgsrc.
> Package php-4.1.2 has a remote-code-execution vulnerability, see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
php-4.2.3nb2 is in pkgsrc.
> Package sendmail-8.12.6nb1 has a remote-code-execution vulnerability, see
> http://www.cert.org/advisories/CA-2003-07.html
sendmail-8.12.8 is in pkgsrc.
Just get a newer pkgsrc (e.g. from anoncvs) and update.
Cheers,
Thomas