Subject: Re: pkgsrc/distfiles/vulnerabilities
To: Hitoshi Asaeda <asaeda@yamato.ibm.co.jp>
From: Alistair Crooks <AlistairCrooks@excite.com>
List: current-users
Date: 09/21/2000 02:35:41
On Thu, 21 Sep 2000 13:49:42 +0900 (JST), Hitoshi Asaeda wrote:

>  Hi.
>  
>  Recent pkgsrc may require a file or something whose name is
>  "vulnerabilities" under pkgsrc/distfiles.
>  What is this? Is their any notification for above change?
>  
>  I've just glanced this is caused by new bsd.pkg.mk.
>  --
>  Hitoshi Asaeda

My apologies - in my haste to get the changes in to support
the pkgsrc/security/audit-packages package, one of the changes
I made to pkgsrc/mk/bsd.pkg.mk meant that an installation of a
package would fail if there wasn't a list of vulnerable packages
on the machine. I fixed this yesterday (UK time) in revision
1.578 of pkgsrc/mk/bsd.pkg.mk.

Just to explain about the audit-packages package - there are
two scripts included in that package: (1) download-vulnerability-list, which
downloads the latest list of security vulnerabilities
in packages from ftp.netbsd.org, and (2) audit-packages, which
looks at the installed packages on a machine to see if any of them are
vulnerable to security exploits, checked against the downloaded
vulnerability list.

agc@sys1:/usr/pkgsrc(60)% audit-packages
Package ntop-1.0 has a remote-root-shell vulnerability, see
http://www.securityfocus.com/advisories/2520
agc@sys1:/usr/pkgsrc(61)%

[BTW, I really have ntop-1.1 installed, for all of those of you
who now try to hack wherever I am, I just renamed the directory
to give an example - agc]

Regards,
Alistair
--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html