From owner-freebsd-ports@FreeBSD.ORG Thu Apr 19 14:38:36 2007 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7144616A401; Thu, 19 Apr 2007 14:38:36 +0000 (UTC) (envelope-from david@vizion2000.net) Received: from dns1.vizion2000.net (77-99-36-42.cable.ubr04.chap.blueyonder.co.uk [77.99.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 28DD513C45D; Thu, 19 Apr 2007 14:38:36 +0000 (UTC) (envelope-from david@vizion2000.net) Received: by dns1.vizion2000.net (Postfix, from userid 1007) id 747E31CC38; Thu, 19 Apr 2007 07:50:12 -0700 (PDT) From: David Southwell Organization: Voice and Vision To: freebsd-ports@freebsd.org Date: Thu, 19 Apr 2007 07:50:11 -0700 User-Agent: KMail/1.9.6 References: <200704181057.34795.david@vizion2000.net> <20070419034906.GA48902@xor.obsecurity.org> <46274C13.3050604@drago.fomokka.net> In-Reply-To: <46274C13.3050604@drago.fomokka.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200704190750.12284.david@vizion2000.net> Cc: security-team@freebsd.org, Lowell Gilbert , Foxfair Hu , ports@freebsd.org, Kris Kennaway , jharris@widomaker.com Subject: Re: Lynx -vulnerabilities- is this permanent? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2007 14:38:36 -0000 On Thursday 19 April 2007 04:01:39 Foxfair Hu wrote: > Kris Kennaway wrote: > > On Thu, Apr 19, 2007 at 10:10:41AM +0800, Foxfair Hu wrote: > >> Lowell Gilbert wrote: > >>> David Southwell writes: > >>>> portupgrade -a produces following output for lynx on cvsup from today. > >>>> freebsd 6.1 > >>>> ----------------------------------------- > >>>> ---> Upgrading 'lynx-2.8.5_2' to 'lynx-2.8.6_4' (www/lynx) > >>>> ---> Building '/usr/ports/www/lynx' > >>>> ===> Cleaning for lynx-2.8.6_4 > >>>> ===> lynx-2.8.6_4 has known vulnerabilities: > >>>> => lynx -- remote buffer overflow. > >>>> Reference: > >>>> >>>>d03344.html> => Please update your ports tree and try again. > >>>> *** Error code 1 > >>>> > >>>> Stop in /usr/ports/www/lynx. > >>>> > >>>> Any news or advice forthcoming? > >>> > >>> That doesn't *seem* to be applicable to the current version. > >>> It looks like a version-number parsing problem producing a false > >>> warning. I don't have access to my build machine to check more closely, > >>> though... > >>> > >>> . > >> > >> Definitely a false alert, lynx 2.8.5rel4 had fixed the problem, and it > >> was rev1.112 of Makefile > >> in www/lynx. If no one objects, I'll put this diff to prevent portaudit > >> send wrong warning again: > > > > Wrong fix, fix the vuxml instead of hacking around it. > > > > Kris > > > > . > > vuxml -> security-team's baby. > Cc added. > > foxfair > > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" OK -- does anyone have any idea when this might be fixed? Not pushing - just wanting to know. Did a cvsup just now but still not fixed . Thanks for your help - it appreciated david