Subject: Re: package with security hole not flagged at build time
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Adrian Portelli <adrianp@stindustries.net>
List: pkgsrc-users
Date: 01/09/2007 23:14:16
Steven M. Bellovin wrote:
> On Tue, 9 Jan 2007 18:35:43 +0100
> Geert Hendrickx <ghen@telenet.be> wrote:
> 
>> On Tue, Jan 09, 2007 at 10:38:34AM -0500, Steven M. Bellovin wrote:
>>> According to audit-packages, fetchmail-6.2.5.5nb1 has a security
>>> hole. When I go to its directory and do a 'make', it builds it
>>> without noticing the problem.  My pkgsrc is up-to-date (HEAD), as
>>> is my audit-packages and the vulnerabilities file it uses.  (This
>>> is on -current from about two weeks ago.)
>> Do you have ALLOW_VULNERABLE_PACKAGES set in your environment or in
>> mk.conf?
>>
> 
> No:
> 
> # set|grep ALLOW_VULNERABLE_PACKAGES
> # grep ALLOW_VULNERABLE_PACKAGES /etc/mk.conf
> 
> Btw, the same seems to be happening for print/acroread7.
> 
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb

Just as a matter of interest if you install the package and then run
audit-packages does it pick it up as being vulnerable ?

adrian.