by mail.netbsd.org with SMTP; 23 Oct 2000 16:45:51 -0000
          (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP
          id <20001023164520.WCXO6459.fortune.excite.com@prickles>;
          Mon, 23 Oct 2000 09:45:20 -0700
Message-ID: <20911897.972319520349.JavaMail.imail@prickles>
Date: Mon, 23 Oct 2000 09:45:20 -0700 (PDT)
From: Alistair Crooks <AlistairCrooks@excite.com>
Reply-To:  <agc@pkgsrc.org>
To: Paul Hoffman <phoffman@proper.com>, tech-pkg@netbsd.org, 
 tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


On Mon, 23 Oct 2000 09:12:21 -0700, Paul Hoffman wrote:

>  The new audit-packages package is quite nice, and thanks for the work 
>  that went into it. I run it, and it tells me:
>  
>       Package pine-4.21 has a denial-of-service vulnerability,
>       see http://www.securityfocus.com/advisories/2646
>  
>  Yes, but pine-4.21 is the current version of pine. Maybe you can put 
>  a note in the NetBSD vulnerability list explaining either (a) where 
>  in pkgsrc to get the update or (b) don't bother to look, it hasn't 
>  been fixed yet.

Thanks - the cvs log for the pine Makefile tells me that the advisory in
http://www.securityfocus.com/advisories/2646 was fixed in version 1.35 of
the Makefile on September 9th 2000 by hubertf. You don't need cvs access to
find this out - you can view it from the cvsweb interface
(http://cvsweb.netbsd.org/bsdweb.cgi/).

I agree, however, that the version numbering may be obscure - we should
perhaps change the vulnerability list to reflect the first version which is
safe, rather than the last vulnerable version, to make it obvious what's
going on.

i.e. pine<4.21nb1, rather than pine<=4.21

Regards,
Al 

--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html