netbsd-bugs: pkg/19157: audit-packages vulnerability list inaccurate for recent samba bug

Subject: pkg/19157: audit-packages vulnerability list inaccurate for recent samba bug
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jtk@kolvir.arlington.ma.us>
List: netbsd-bugs
Date: 11/24/2002 21:35:01

>Number:         19157
>Category:       pkg
>Synopsis:       audit-packages vulnerability list inaccurate for recent samba bug
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 24 18:36:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     John Kohl
>Release:        NetBSD 1.6_STABLE
>Organization:
NetBSD Kernel Hackers `R` Us
>Environment:
	
	
System: NetBSD kolvir.arlington.ma.us 1.6_STABLE NetBSD 1.6_STABLE (KOLVIR-$Revision: 1.51 $) #18: Fri Nov 1 22:29:05 EST 2002 jtk@kolvir.arlington.ma.us:/usr/u4/sandbox/src/sys/arch/i386/compile/KOLVIR i386
Architecture: i386
Machine: i386
>Description:
	The new vulnerability has an apparent false positive on samba-2.0.10.

The web page says the bug is in 2.2.2 through 2.2.6, not mentioning
2.0.x.

>How-To-Repeat:
%/usr/pkg/sbin/audit-packages
Package samba-2.0.10 has a remote-root-shell vulnerability, see http://www.samba.org/samba/whatsnew/samba-2.2.7.html

>Fix:
	express the vulnerability as samba-2.2.[23456] should do it.
	(is there a syntax for greater than release x and less than release y ?)
>Release-Note:
>Audit-Trail:
>Unformatted: