On Tue, Mar 04, 2003 at 11:28:48AM -0500, Ryan La Riviere wrote:
> I have several packages that I run on my server that I'd like to be able to
> update to the latest versions but the source is not current (and I'm not
> adept at updating the packages to make them current).  Additionally, the
> package's source are versions that have exploits.
> 
> The following is the output from `audit-packages`:
> 
> Package libmcrypt-2.4.22 has a remote-user-shell vulnerability, see
> http://online.securityfocus.com/archive/1/305162/2003-01-01/2003-01-07/0

Noone did the update for this one yet, but ...

> Package openssl-0.9.6g has a weak-encryption vulnerability, see
> http://www.openssl.org/news/secadv_20030219.txt

openssl-0.9.6gnb1 is in pkgsrc.

> Package php-4.1.2 has a remote-code-execution vulnerability, see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396

php-4.2.3nb2 is in pkgsrc.

> Package sendmail-8.12.6nb1 has a remote-code-execution vulnerability, see
> http://www.cert.org/advisories/CA-2003-07.html

sendmail-8.12.8 is in pkgsrc.

Just get a newer pkgsrc (e.g. from anoncvs) and update.

Cheers,
 Thomas