Date: Thu, 26 Apr 2007 09:02:13 +0200 From: Remko Lodder <remko@elvandar.org> To: Foxfair Hu <foxfair@drago.fomokka.net> Cc: ports@freebsd.org, security-team@freebsd.org, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Lynx -vulnerabilities- is this permanent? Message-ID: <20070426070213.GD65440@elvandar.org> In-Reply-To: <462F085D.60305@drago.fomokka.net> References: <200704181057.34795.david@vizion2000.net> <44wt09ilei.fsf@be-well.ilk.org> <4626CFA1.1070209@drago.fomokka.net> <20070419034906.GA48902@xor.obsecurity.org> <46274C13.3050604@drago.fomokka.net> <20070419172317.GA1039@zaphod.nitro.dk> <462F085D.60305@drago.fomokka.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 25, 2007 at 03:50:53PM +0800, Foxfair Hu wrote:
> Simon L. Nielsen wrote:
> >On 2007.04.19 19:01:39 +0800, Foxfair Hu wrote:
> >>vuxml -> security-team's baby.
> >>Cc added.
> >
> >The problem is caused by interesting version numbering in the
> >www/lynx-current port which now conflicts with www/lynx:
> >
> >[simon@zaphod:lynx-current] make -V PKGNAME
> >lynx-2.8.7d4
> >
> >Basically the problem was fixed in lynx-current (I assume, I haven't
> >checked) 2.8.6d14 which really should have been 2.8.6.d14 to avoid
> >problems like this.
> >
> >[simon@zaphod:~] pkg_version -t 2.8.6d14 2.8.6_4
> >[simon@zaphod:~] pkg_version -t 2.8.6.d14 2.8.6_4
> ><
> >
> >I will try to have a look at how to work around this tonight, but I
> >don't know if I will get to it today.
> >
>
> [Cut off individuals Cc]
>
> Can we remove 2nd and 4th entry? Look at the version info on lynx
> site, I don't think current statement is a correct one:
>
> lynx >2.8.6* <2.8.6d14
> ja-lynx >2.8.6* <2.8.6d14
>
> Diff as below:
> -----------------------------
> cvs diff: Diffing .
> Index: vuln.xml
> ===================================================================
> RCS file: /home/pcvs/ports/security/vuxml/vuln.xml,v
> retrieving revision 1.1317
> diff -u -d -b -w -r1.1317 vuln.xml
> --- vuln.xml 23 Apr 2007 14:12:10 -0000 1.1317
> +++ vuln.xml 25 Apr 2007 04:01:21 -0000
> @@ -11487,7 +11487,6 @@
> <name>lynx</name>
> <name>ja-lynx</name>
> <range><lt>2.8.5_1</lt></range>
> - <range><gt>2.8.6*</gt><lt>2.8.6d14</lt></range>
> </package>
> <package>
> <name>lynx-ssl</name>
Hello Foxfair,
I think this is not a good idea; as long as 2.8.6X is vulnerable and some of them
are not, we need to mark them up, you are currently proposing to delist it which
isn't a really good idea.
Cheers,
remko
--
Kind regards,
Remko Lodder ** remko@elvandar.org
FreeBSD ** remko@FreeBSD.org
/* Quis custodiet ipsos custodes */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070426070213.GD65440>