oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations))

From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Fri, 16 May 2025 21:52:14 -0500
On 5/16/25 13:07, Eli Schwartz wrote:

On 5/16/25 12:31 PM, Taylor R Campbell wrote:
[...]

(a) the same pkgsrc packages are available on, e.g., NetBSD 9.x (which
     is not EOL); and

(b) pkgsrc is used on platforms other than NetBSD, including macOS,
     SmartOS, and various Linux distributions (e.g., for unprivileged
     use on HPC clusters where it is more flexible and up-to-date than
     the Linux distribution's package manager).

That is why it would be more accurate for the report to say
`pkgsrc-2025Q1', not `NetBSD 10.1'.


I strongly dispute this. It should instead list both, as both are
affected.
Would "systems using pkgsrc-2025Q1, notably including NetBSD 9.x and NetBSD 10.1" have been a fair way of describing that set? 


(Again, b is the same distinction as "Gentoo, but also
portage-20250508, are both affected".)
Am I mistaken that portage is unique to Gentoo, while pkgsrc is also used for applications on systems other than its native NetBSD? 


-- Jacob
Previous By Date Next
Previous By Thread Next

Current thread: