Thomas Klausner | 1 Apr 11:47 2011
Picon

[HEADSUP] Removing vulnerable packages

Hi!

The packages listed below were marked as vulnerable on January 1, 2010
and still marked as vulnerable on April 1, 2011, while having no version
number updates (except for PKGREVISION bumps) in the meantime.[1]

Please speak up if you are currently using one of them.
If you speak up, please think about providing patches to fix the
security issues (though it's not a requirement).

I'll remove packages for which noone spoke up after the branch is cut,
but at the earliest two weeks from now.
This might also cause the removal of dependencies if the package
contains a library or is a dependency for another reason.

RealPlayerGold-10.0.9.809.20070726
acroread-4.05
acroread5-5.10
acroread7-7.0.9
acroread8-8.1.7
adobe-flash-plugin-10.0.0.525
amaya-10.0.1
ap22-auth-mysql-1.11.12
ap22-auth-mysql-4.3.1
asp2php-0.76.17
automake14-1.4.6 [will not remove, still used by too much, patches welcome]
aview-1.3.0.1
bash-completion-1.0
blender-2.49b
bugzilla-2.22.7
(Continue reading)

Thomas Klausner | 1 Apr 12:37 2011
Picon

quota changes break openoffice3

Hi Manuel!

Though I have no idea why it should even care about the header file,
openoffice3 currently doesn't build on 5.99.48/amd64 due to:
/usr/include/ufs/ufs/quota.h:60: error: 'ufsclass2qtype' declared as an 'inline' variable
/usr/include/ufs/ufs/quota.h:60: error: expected primary-expression before 'int'
/usr/include/ufs/ufs/quota.h:61: error: expected ',' or ';' before '{' token

Can you please take a look?

Thanks,
 Thomas

Jukka Ruohonen | 1 Apr 12:39 2011
Picon
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, Apr 01, 2011 at 11:47:30AM +0200, Thomas Klausner wrote:
> I'll remove packages for which noone spoke up after the branch is cut,
> but at the earliest two weeks from now.
> This might also cause the removal of dependencies if the package
> contains a library or is a dependency for another reason.

I use these:

	pdfjam-1.20
	mutt-1.4.2.3

(The latter mainly because I don't know how/why it differs from mutt-devel.)

	blender-2.49b
	snort-2.8.3.1

I don't use the ones above, but aren't these kind of popular mainstream
applications?

- Jukka.

Joerg Sonnenberger | 1 Apr 12:58 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, Apr 01, 2011 at 11:47:30AM +0200, Thomas Klausner wrote:
> crossfire-server-1.11.0

Don't. Last release seems to be the 1.60.0 series?

> mpop-1.0.12

Could be updated to 1.0.13. Issue not relevant in many forms of
deployment.

> mutt-1.4.2.3

Not sure if people want to move to mutt-devel...

> suse32_freetype2-10.0
> suse32_gtk2-10.0
> suse32_libcups-10.0
> suse32_openssl-10.0
> suse_freetype2-10.0
> suse_gtk2-10.0
> suse_libcups-10.0
> suse_openssl-10.0

Not an option either...

> wxGTK-2.6.3
> wxGTK24-2.4.2

I would like to see both die, but got objections from this "wiz" guy
before :)
(Continue reading)

Manuel Bouyer | 1 Apr 12:58 2011

Re: quota changes break openoffice3

On Fri, Apr 01, 2011 at 12:37:18PM +0200, Thomas Klausner wrote:
> Hi Manuel!
> 
> Though I have no idea why it should even care about the header file,
> openoffice3 currently doesn't build on 5.99.48/amd64 due to:
> /usr/include/ufs/ufs/quota.h:60: error: 'ufsclass2qtype' declared as an 'inline' variable
> /usr/include/ufs/ufs/quota.h:60: error: expected primary-expression before 'int'
> /usr/include/ufs/ufs/quota.h:61: error: expected ',' or ';' before '{' token
> 
> Can you please take a look?

I will; it's probably just needs to use libquota instead of
own code.

--

-- 
Manuel Bouyer <bouyer <at> antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Martin Husemann | 1 Apr 13:33 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, Apr 01, 2011 at 12:58:07PM +0200, Joerg Sonnenberger wrote:
> > mutt-1.4.2.3
> 
> Not sure if people want to move to mutt-devel...

And the "vulnerability" listed here is IMHO pretty minor.

Martin

Thomas Klausner | 1 Apr 13:36 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, Apr 01, 2011 at 01:39:17PM +0300, Jukka Ruohonen wrote:
> I use these:
> 
> 	pdfjam-1.20

2.08 is out. Care to provide an update? :)

> 	mutt-1.4.2.3
> 
> (The latter mainly because I don't know how/why it differs from mutt-devel.)

The mutt people can't decide to declare a new stable release; I've been
using mutt-devel for a long time without any problems. We should
probably just replace mutt with mutt-devel.

> 	blender-2.49b

I've just fixed this one.

> 	snort-2.8.3.1

snort-2.8.5.1 supposedly fixes this, and 2.9.0.4 is out. Update? :)
 Thomas

OBATA Akio | 1 Apr 13:37 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, 01 Apr 2011 18:47:30 +0900, Thomas Klausner <wiz <at> netbsd.org> wrote:

> ap22-auth-mysql-1.11.12
> ap22-auth-mysql-4.3.1

PKGNAME conflicts.
CVE-2008-2384 is for www/ap-auth-mysql (ap22-auth-mysql-4.3.1).

> bash-completion-1.0

Just not confirmed fixed.
I've confirmed vulnerabilities with old code-base version (bash-completion-20060301),
but switched to Debian's one.

> putty-0.6.20090906

As I already noticed at import time, PKGVERSION of security/putty-devel should be changed,
something like 0.60{alpha,beta,pre}20090906, or it is very old version than security/putty.
http://mail-index.netbsd.org/pkgsrc-changes/2009/09/08/msg029512.html

--

-- 
OBATA Akio / obache <at> NetBSD.org

Thomas Klausner | 1 Apr 13:45 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, Apr 01, 2011 at 12:58:07PM +0200, Joerg Sonnenberger wrote:
> On Fri, Apr 01, 2011 at 11:47:30AM +0200, Thomas Klausner wrote:
> > crossfire-server-1.11.0
> 
> Don't. Last release seems to be the 1.60.0 series?

Update? :)

> > mpop-1.0.12
> 
> Could be updated to 1.0.13. Issue not relevant in many forms of
> deployment.

I think you mean 1.0.23, and I just did the update.

> > mutt-1.4.2.3
> 
> Not sure if people want to move to mutt-devel...

Why not?

> > suse32_freetype2-10.0
> > suse32_gtk2-10.0
> > suse32_libcups-10.0
> > suse32_openssl-10.0
> > suse_freetype2-10.0
> > suse_gtk2-10.0
> > suse_libcups-10.0
> > suse_openssl-10.0
> 
(Continue reading)

OBATA Akio | 1 Apr 13:55 2011
Picon

Re: [HEADSUP] Removing vulnerable packages

On Fri, 01 Apr 2011 20:45:15 +0900, Thomas Klausner <wiz <at> netbsd.org> wrote:

>> > zope210-2.10.7
>> > zope211-2.11.2
>> > zope29-2.9.10
>> > zope3-3.3.1
>>
>> Not sure how many users of Zope exists, different versions are partially
>> incompatible though.
>
> Perhaps we can weed them out. Let's see if someone uses any of them.

plus Zope depend on python24, but it's already EOL.

--

-- 
OBATA Akio / obache <at> NetBSD.org


Gmane