pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: package with security hole not flagged at build time
Steven M. Bellovin wrote:
> On Tue, 9 Jan 2007 18:35:43 +0100
> Geert Hendrickx <ghen%telenet.be@localhost> wrote:
>
>> On Tue, Jan 09, 2007 at 10:38:34AM -0500, Steven M. Bellovin wrote:
>>> According to audit-packages, fetchmail-6.2.5.5nb1 has a security
>>> hole. When I go to its directory and do a 'make', it builds it
>>> without noticing the problem. My pkgsrc is up-to-date (HEAD), as
>>> is my audit-packages and the vulnerabilities file it uses. (This
>>> is on -current from about two weeks ago.)
>> Do you have ALLOW_VULNERABLE_PACKAGES set in your environment or in
>> mk.conf?
>>
>
> No:
>
> # set|grep ALLOW_VULNERABLE_PACKAGES
> # grep ALLOW_VULNERABLE_PACKAGES /etc/mk.conf
>
> Btw, the same seems to be happening for print/acroread7.
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
Just as a matter of interest if you install the package and then run
audit-packages does it pick it up as being vulnerable ?
adrian.
Home |
Main Index |
Thread Index |
Old Index