On Wed, Nov 02, 2005 at 05:54:03PM +0100, Hans van Leeuwen wrote: > > "pkg_check is build on top of OpenBSD's ports-system. It checks a given > list of packages for vulnerablities against the VuXML database. If no > package is given all installed packages will be checked." > > Please test the port and the program.
How do you decide whether a program is affected? I'm getting the result below, which does not look correct, i.e. I assume 3.1.0 is not affected. How up-to-date is the database you use? The ports team often applies security patches without changing the version number of a package, just bumping it by adding p0 for instance. Is this all taken into account? | affected p5-Mail-SpamAssassin-3.1.0 | | discovery: 2005-06-15 | | entry: 2005-07-10 | .. | Apache SpamAssassin Security Team reports | | Apache SpamAssassin 3.0.4 was recently released, and fixes a denial of | | service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The | | vulnerability allows certain misformatted long message headers to cause | | spam checking to take a very long time. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
