netbsd-bugs: pkg/22922: sysutils/apcupsd not vulnerable to issue in pkg-vulnerabilities

Subject: pkg/22922: sysutils/apcupsd not vulnerable to issue in pkg-vulnerabilities
To: None <gnats-bugs@gnats.netbsd.org>
From: None <tv@duh.org>
List: netbsd-bugs
Date: 09/23/2003 19:18:24

>Number:         22922
>Category:       pkg
>Synopsis:       sysutils/apcupsd not vulnerable to issue in pkg-vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 23 23:22:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Todd Vierling
>Release:        NetBSD 1.6.1_STABLE
>Organization:
	DUH.ORG:  Pointing out the obvious since 1994.
>Environment:
System: NetBSD server.duh.org 1.6.1_STABLE NetBSD 1.6.1_STABLE (SERVER) #1: Fri Sep 12 11:28:14 EDT 2003 tv@server.duh.org:/export/SRC/duh/netbsd-kernels/SERVER i386
Architecture: i386
Machine: i386
>Description:

The version of apcupsd in sysutils/apcupsd is not vulnerable to the issue
described at:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0099

The issue description was modified on 20030823 to clarify that 3.8.6 is NOT
vulnerable to this issue.  So the version numbers in pkg-vulnerability need
to be the same as those for CAN-2003-0098.

>How-To-Repeat:

cd pkgsrc/sysutils/apcupsd && make
[see error about vulnerable package]

>Fix:

--- pkg-vulnerabilities.orig	Tue Sep 23 19:16:42 2003
+++ pkg-vulnerabilities	Tue Sep 23 19:17:55 2003
@@ -335,7 +335,8 @@
 bitchx<1.0.3.19nb1	remote-code-execution	http://www.securityfocus.com/archive/1/315057
 apache-2.0.[0-3][0-9]	denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
 apache-2.0.4[0-4]	denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
-apcupsd<3.10.5		denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0099
+apcupsd<3.8.6		denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0099
+apcupsd-3.10.[0-4]	denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0099
 setiathome<3.08		remote-code-execution	http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Seti@home
 samba<=2.2.8		remote-root-access	http://lists.samba.org/pipermail/samba-announce/2003-April/000065.html
 mgetty+sendfax<1.1.29	file-permissions	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1392
>Release-Note:
>Audit-Trail:
>Unformatted: