Re: README.html: cannot find vulnerability list

To: Adrian Portelli <adrianp%stindustries.net@localhost>
Subject: Re: README.html: cannot find vulnerability list
From: Gary Thorpe <gathorpe79%yahoo.com@localhost>
Date: Sun, 5 Aug 2007 21:03:37 -0400 (EDT)

--- Adrian Portelli <adrianp%stindustries.net@localhost> wrote:

> Gary Thorpe wrote:
> ...
> > 
> > I applied the patch but the result seems to be the same:
> > 
> ...
> 
> Hi,
> 
> Could you please do a 'cvs update' and try again ?  I think I found
> the
> problem and committed a fix for it.
> 
> thanks,
> 
> adrian.
> 
> 

Hi,

I updated just a while ago and it now finds and includes some
vulnerability information:

Loading binary package cache file...
    * /usr/pkgsrc/packages/.pkgcache
Flattening dependencies
Flattening build dependencies
Reading vulnerability file "/usr/pkgsrc/distfiles/pkg-vulnerabilities"
 which was updated at Jul 3 11:01

   Loaded 2560 vulnerabilities
Only creating README for www/firefox
Generating README.html files
.

However, the content of the README.html does not seem up-to-date:

The following security vulnerabilities are known for www/firefox at Jul
   3 11:01 :
     * firefox<0.10 has a remote-code-execution vulnerability
     * firefox<0.10.1 has a local-file-write vulnerability
     * firefox<1.0 has a local-file-write vulnerability

While the current version has a vulnerability and cannot be built by
default:

make package
=> Required installed package digest>=20010302: digest-20070703 found
=> Required installed package checkperms>=1.1: checkperms-1.7 found
===> Checking for vulnerabilities in firefox-2.0.0.6
ERROR: remote-information-exposure vulnerability in firefox-2.0.0.6 -
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894 for
more information
firefox{,2}{,-bin,-gtk1}-[0-9]*
ERROR: Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
essential
*** Error code 1

Stop.
make: stopped in /usr/pkgsrc/www/firefox

This is the relevant line in pkg-vulnerabilities:

1984:firefox{,2}{,-bin,-gtk1}-[0-9]*    remote-information-exposure    
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894

So, now the file is being found, but the complete vulnerability list is
missing from the generated README.html. This seems like a new issue and
maybe more worrisome as now the information is incomplete/inaccurate
[firefix has a lot more than 3 vulnerabilities for example]).

The README.html for www/lynx seems correct with respect to
vulnerabilities, but it only has one line in pkg-vulnerabilities and I
suspect that pattern matching may be causing the problem with
generating the README.html for www/firefox (new issue, seems more
specific but could also affect a lot more packages).

Thank you for getting this resolved (at least in this configuration).

      Ask a question on any topic and get answers from real people. Go to 
Yahoo! Answers and share what you know at http://ca.answers.yahoo.com

Follow-Ups:
- Re: README.html: cannot find vulnerability list
  - From: David Lord

References:
- Re: README.html: cannot find vulnerability list
  - From: Adrian Portelli

Prev by Date: Re: README.html: cannot find vulnerability list
Next by Date: Re: Getting started with modular xorg
Previous by Thread: Re: README.html: cannot find vulnerability list
Next by Thread: Re: README.html: cannot find vulnerability list
Indexes:

Home | Main Index | Thread Index | Old Index