Re: package with security hole not flagged at build time

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Tue, 09 Jan 2007 23:14:16 +0000
Adrian Portelli <adrianp%stindustries.net@localhost> wrote:

> Steven M. Bellovin wrote:
> > On Tue, 9 Jan 2007 18:35:43 +0100
> > Geert Hendrickx <ghen%telenet.be@localhost> wrote:
> > 
> >> On Tue, Jan 09, 2007 at 10:38:34AM -0500, Steven M. Bellovin wrote:
> >>> According to audit-packages, fetchmail-6.2.5.5nb1 has a security
> >>> hole. When I go to its directory and do a 'make', it builds it
> >>> without noticing the problem.  My pkgsrc is up-to-date (HEAD), as
> >>> is my audit-packages and the vulnerabilities file it uses.  (This
> >>> is on -current from about two weeks ago.)
> >> Do you have ALLOW_VULNERABLE_PACKAGES set in your environment or in
> >> mk.conf?
> >>
> > 
> > No:
> > 
> > # set|grep ALLOW_VULNERABLE_PACKAGES
> > # grep ALLOW_VULNERABLE_PACKAGES /etc/mk.conf
> > 
> > Btw, the same seems to be happening for print/acroread7.
> > 
> > 
> >             --Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> Just as a matter of interest if you install the package and then run
> audit-packages does it pick it up as being vulnerable ?
>

Yes...

                --Steve Bellovin, http://www.cs.columbia.edu/~smb