Subject: vulnerable packages and 'rc' as separator
To: None <tech-pkg@netbsd.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-pkg
Date: 05/17/2005 19:54:57
print/cups is failing to build (NetBSD/i386 2.99.15, pkgsrc from last
night's cvsup):

gdt 62 /usr/pkgsrc/print/cups > make
===> Checking for vulnerabilities in cups-1.1.23nb2
*** WARNING - privilege-escalation vulnerability in cups-1.1.23nb2 - see http://www.cups.org/str.php?L1024 for more information ***
or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
*** Error code 1

pkg-vulnerabilities has:

cups<1.1.23rc1		remote-code-execution	http://www.cups.org/str.php?L1024

and the cups STR web interface reports this as fixed in 1.1.23rc1

So, the check is falsely triggered, as 1.1.23rc1 < 1.1.23

It might also/instead be a bug that 'rc' is used in
pkg-vulnerabilities, as that's not a netbsd version.