tech-security: Re: ophidian.must-have-coffee.gen.nz daily insecurity output for Tue Apr 12 03:15:00 NZST 2005

Subject: Re: ophidian.must-have-coffee.gen.nz daily insecurity output for Tue Apr 12 03:15:00 NZST 2005
To: None <tech-security@netbsd.org>
From: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
List: tech-security
Date: 04/13/2005 21:09:12

On Apr 12, 2005, at 3:36 AM, Charlie Root wrote:
> Running /etc/security.local:
> Package ap-php-4.3.10 php-4.3.10 has a denial-of-service 
> vulnerability, see 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0524
> Package ap-php-4.3.10 php-4.3.10 has a denial-of-service 
> vulnerability, see 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0525

Well, you can guess what I did.

	cd .../pkgsrc
	cvs -q update -dP
	cd www/ap-php
	make update

It said this in response

	===> Checking for vulnerabilities in ap-php-4.3.10

It proceeded to build and install ap-php-4.3.10, but when I ran 
audit-packages again, I still had the dodgy one. So how come 
audit-packages complains, but pkgsrc is happy? This can't be right. I 
clearly only had pkgsrc for a vulnerable package, so the Checking for 
vulnerabilities should have failed, otherwise you wouldn't need it.

Cheers,
Lloyd
http://www.must-have-coffee.gen.nz/