Subject: pkg-vulnerabilities, vulnerable packages, Opera 9.23, README.htmls
To: None <pkgsrc-users@netbsd.org>
From: Dennis den Brok <d.den.brok@uni-bonn.de>
List: pkgsrc-users
Date: 08/21/2007 22:52:55
To sum it up in a single mail:

   * Opera 9.23 is out for quite a while and fixes one security issue wi=
th
JavaScript and a few stability issues, so I guess the package ought to b=
e
updated and the updates pulled up to -2007Q2, which doesn't seem to have=

9.22 yet, even (which already fixed security issues);
   * pkg-vulnerabilities doesn't list at least the security issue fixed =
by
the release of Opera 9.23;
   * What I'm wondering about: Firefox 2.0.0.6 has this long-standing
remote-information-exposure issue which prevents it from being built
without ALLOW_VULNERABLE=3Dyes; yet, there's a binary package available =
from
a directory different from packages/vulnerable, and the corresponding
README.html doesn't mention any vulnerabilities at all. I reckon this is=

to not confuse new users with such a popular package being not instantly=

available, but I haven't found anything about a change of policy regardi=
ng
that matter; ISTR that earlier, Firefox was being treated differently?
   * The links to dependencies in the README.htmls on the pkgsrc ftp-ser=
ver
are long since broken. There's one "../" missing, for instance in
x11/9term/README.html, there's a link to
ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/x11/editors/sam/README.ht=
ml.
Note "x11/editors".

TIA for anything.

-- =

Dennis den Brok