Subject: pkg/21443: vulnerability list reported on package install is confusing.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <cgd@netbsd.org>
List: netbsd-bugs
Date: 05/03/2003 22:30:26
>Number: 21443
>Category: pkg
>Synopsis: vulnerability list reported on package install is confusing.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat May 03 22:31:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Chris Demetriou
>Release: 1.6.1 on i386, with pkgsrc from 1.6.1
>Organization:
>Environment:
see above.
>Description:
i installed apache (2.0.44) from the 1.6.1 pkgsrc tree, and
it was kind enough to tell me that that version of apache had
a security vulnerability.
However, the message was a bit confusing:
*** WARNING: This package (apache-2.0.44) has a security vulnerability ***
apache<1.3.14 remote-user-access http://httpd.apache.org/dist/httpd/CHANGES_1.3
apache<1.3.19 remote-user-access http://httpd.apache.org/dist/httpd/Announcement.html
apache<1.3.26 remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.1? remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.2? remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.3[0-8]* remote-root-shell http://httpd.apache.org/info/security_bulletin_20020617.txt
apache<1.3.26nb1 remote-root-shell http://www.apache-ssl.org/advisory-20020620.txt
apache-2.0.3[0-9]* denial-of-service http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.4[0-1]* denial-of-service http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.3[0-9]* remote-root-shell http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.4[0-2]* remote-file-read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache<1.3.27 local-user-shell http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
apache<1.3.27 denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
apache<1.3.27 local-file-read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.[0-3][0-9] denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
apache-2.0.4[0-4] denial-of-service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
*** WARNING: You are strongly advised to deinstall apache-2.0.44 now ***
My first thought was "huh, do i believe this, it's telling me about
apache 1.x?!?!"
Finally reading to the bottom of the list of 16 vulnerabilities, i found
the *one* that's actually relevant to my install. 8-)
It would be best to list only the relevant vulnerabilities, rather than
all of the historical vulnerabilities for that package, IMO.
>How-To-Repeat:
see above. install a package with a security issue, which has had
previous security issues, and note that all are printed instead of
just the relevant ones.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: