Subject: pkg/21443: vulnerability list reported on package install is confusing.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <cgd@netbsd.org>
List: netbsd-bugs
Date: 05/03/2003 22:30:26
>Number:         21443
>Category:       pkg
>Synopsis:       vulnerability list reported on package install is confusing.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 03 22:31:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Chris Demetriou
>Release:        1.6.1 on i386, with pkgsrc from 1.6.1
>Organization:
>Environment:
see above.

>Description:
i installed apache (2.0.44) from the 1.6.1 pkgsrc tree, and
it was kind enough to tell me that that version of apache had
a security vulnerability.

However, the message was a bit confusing:

*** WARNING: This package (apache-2.0.44) has a security vulnerability ***
apache<1.3.14           remote-user-access      http://httpd.apache.org/dist/httpd/CHANGES_1.3
apache<1.3.19           remote-user-access      http://httpd.apache.org/dist/httpd/Announcement.html
apache<1.3.26           remote-root-shell       http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.1?           remote-root-shell       http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.2?           remote-root-shell       http://httpd.apache.org/info/security_bulletin_20020617.txt
apache-2.0.3[0-8]*      remote-root-shell       http://httpd.apache.org/info/security_bulletin_20020617.txt
apache<1.3.26nb1        remote-root-shell       http://www.apache-ssl.org/advisory-20020620.txt
apache-2.0.3[0-9]*      denial-of-service       http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.4[0-1]*      denial-of-service       http://www.apacheweek.com/issues/02-09-27#apache2042
apache-2.0.3[0-9]*      remote-root-shell       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.4[0-2]*      remote-file-read        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache<1.3.27           local-user-shell        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
apache<1.3.27           denial-of-service       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
apache<1.3.27           local-file-read         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
apache-2.0.[0-3][0-9]   denial-of-service       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
apache-2.0.4[0-4]       denial-of-service       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
*** WARNING: You are strongly advised to deinstall apache-2.0.44 now ***

My first thought was "huh, do i believe this, it's telling me about
apache 1.x?!?!"

Finally reading to the bottom of the list of 16 vulnerabilities, i found
the *one* that's actually relevant to my install.  8-)

It would be best to list only the relevant vulnerabilities, rather than
all of the historical vulnerabilities for that package, IMO.
>How-To-Repeat:
see above.  install a package with a security issue, which has had
previous security issues, and note that all are printed instead of
just the relevant ones.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: