Subject: Re: What to do about unfixed vulnerabilities?
To: Paul Hoffman <phoffman@proper.com>
From: Hisashi T Fujinaka <htodd@twofifty.com>
List: tech-security
Date: 10/23/2000 09:19:15
  by mail.netbsd.org with SMTP; 23 Oct 2000 16:19:32 -0000
	by fls.i8u.org (8.11.1/8.11.1) with ESMTP id e9NGJG117185;
	Mon, 23 Oct 2000 09:19:17 -0700 (PDT)
Date: Mon, 23 Oct 2000 09:19:15 -0700 (PDT)
From: Hisashi T Fujinaka <htodd@twofifty.com>
To: Paul Hoffman <phoffman@proper.com>
cc: tech-pkg@netbsd.org, tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities?
In-Reply-To: <p0501047cb61a1312ed65@[165.227.249.17]>
Message-ID: <Pine.GSO.4.21.0010230917300.13016-100000@fls.i8u.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 23 Oct 2000, Paul Hoffman wrote:

> The new audit-packages package is quite nice, and thanks for the work 
> that went into it. I run it, and it tells me:
> 
>      Package pine-4.21 has a denial-of-service vulnerability,
>      see http://www.securityfocus.com/advisories/2646
> 
> Yes, but pine-4.21 is the current version of pine. Maybe you can put 
> a note in the NetBSD vulnerability list explaining either (a) where 
> in pkgsrc to get the update or (b) don't bother to look, it hasn't 
> been fixed yet.

In general, the answer is (b), but I think the netbsd version was
patched. I can't find a new or beta version on the official pine
site. Maybe Mark Crispin isn't convinced he's done anything wrong (again).

-- 
Hisashi T Fujinaka - htodd@twofifty.com
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte