Date: Thu, 26 Apr 2007 09:02:13 +0200 From: Remko Lodder <remko@elvandar.org> To: Foxfair Hu <foxfair@drago.fomokka.net> Cc: ports@freebsd.org, security-team@freebsd.org, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Lynx -vulnerabilities- is this permanent? Message-ID: <20070426070213.GD65440@elvandar.org> In-Reply-To: <462F085D.60305@drago.fomokka.net> References: <200704181057.34795.david@vizion2000.net> <44wt09ilei.fsf@be-well.ilk.org> <4626CFA1.1070209@drago.fomokka.net> <20070419034906.GA48902@xor.obsecurity.org> <46274C13.3050604@drago.fomokka.net> <20070419172317.GA1039@zaphod.nitro.dk> <462F085D.60305@drago.fomokka.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 25, 2007 at 03:50:53PM +0800, Foxfair Hu wrote: > Simon L. Nielsen wrote: > >On 2007.04.19 19:01:39 +0800, Foxfair Hu wrote: > >>vuxml -> security-team's baby. > >>Cc added. > > > >The problem is caused by interesting version numbering in the > >www/lynx-current port which now conflicts with www/lynx: > > > >[simon@zaphod:lynx-current] make -V PKGNAME > >lynx-2.8.7d4 > > > >Basically the problem was fixed in lynx-current (I assume, I haven't > >checked) 2.8.6d14 which really should have been 2.8.6.d14 to avoid > >problems like this. > > > >[simon@zaphod:~] pkg_version -t 2.8.6d14 2.8.6_4 > >[simon@zaphod:~] pkg_version -t 2.8.6.d14 2.8.6_4 > >< > > > >I will try to have a look at how to work around this tonight, but I > >don't know if I will get to it today. > > > > [Cut off individuals Cc] > > Can we remove 2nd and 4th entry? Look at the version info on lynx > site, I don't think current statement is a correct one: > > lynx >2.8.6* <2.8.6d14 > ja-lynx >2.8.6* <2.8.6d14 > > Diff as below: > ----------------------------- > cvs diff: Diffing . > Index: vuln.xml > =================================================================== > RCS file: /home/pcvs/ports/security/vuxml/vuln.xml,v > retrieving revision 1.1317 > diff -u -d -b -w -r1.1317 vuln.xml > --- vuln.xml 23 Apr 2007 14:12:10 -0000 1.1317 > +++ vuln.xml 25 Apr 2007 04:01:21 -0000 > @@ -11487,7 +11487,6 @@ > <name>lynx</name> > <name>ja-lynx</name> > <range><lt>2.8.5_1</lt></range> > - <range><gt>2.8.6*</gt><lt>2.8.6d14</lt></range> > </package> > <package> > <name>lynx-ssl</name> Hello Foxfair, I think this is not a good idea; as long as 2.8.6X is vulnerable and some of them are not, we need to mark them up, you are currently proposing to delist it which isn't a really good idea. Cheers, remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070426070213.GD65440>