[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Stable signed packages for EdgeBSD-6



			Hi users & developers,

this is just to let you know that I have been busy producing signed
binary packages for the stable branch (pkgsrc_2013Q1) for EdgeBSD-6.

Packages for two architectures are available atm, amd64 and i386:
http://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/amd64/EdgeBSD-6/pkgsrc-2013Q1/All
and
http://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/i386/EdgeBSD-6/pkgsrc-2013Q1/All

For the record, they have been built according to this script:
http://git.edgebsd.org/gitweb/?p=edgebsd-infrastructure.git;a=blob;f=pkgsrc/mksandbox.sh;hb=HEAD
and through these pkg_chk(8) rules:
http://git.edgebsd.org/gitweb/?p=edgebsd-infrastructure.git;a=blob;f=pkgsrc/pkgchk.conf;hb=HEAD

I am trying to build as many (relevant) packages as possible, in a way
that they can be easily deployed in different situations (appliances,
servers, desktop, laptop...) through pkg_chk(8), as flashable images
eventually. If there is any that you would like to see available (or
with different options), please let me know.
(important: not every package can be distributed as binary)

About options, one in particular that I would have liked to see enabled
myself is ldap, in order to work on the first set of services provided
to the developers of the project - so I may have to rebuild a lot of
packages at some point (revisions will be bumped).

About security, *lots* of security fixes are still pending. I have
started working on this by pulling gnupg 1.4.15, php 5.3.27, thunderbird
17.0.5 and firefox 20.0.2. As you can see from the attachment, this is
by no means sufficient, any help with this appreciated!
(methodology: ideally simply cherry-picking relevant commits from
netbsd-pkgsrc - feel free to create branches for this - my own is
khorben-releng atm)

How to bootstrap:
- make sure you have the base set from EdgeBSD-6 installed
- set the environment variable PKG_PATH with the relevant address above
  (or via /root/.profile)
- begin with "pkg_add gnupg"
- run "gpg --recv-key 6F3AF5E2"
- then "gpg --edit-key 6F3AF5E2" and set "trust" to 5 (ultimate)
- edit /etc/pkg_install.conf:
GPG=/usr/pkg/bin/gpg
VERIFIED_INSTALLATION=always
- optional: install pkgin and setup /usr/pkg/etc/pkgin/repositories.conf
  with the same address as above

Cheers!
-- 
khorben
Package python27-2.7.3nb3 has a ssl-certificate-spoofing vulnerability, see http://secunia.com/advisories/54393/
Package libxml2-2.9.0nb3 has a denial-of-service vulnerability, see http://secunia.com/advisories/54112/
Package libgcrypt-1.5.0 has a sensitive-information-exposure vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242
Package libxcb-1.9 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libX11-1.5.0nb1 has a multiple-vulnerabilities vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXt-1.1.3 has a multiple-vulnerabilities vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXext-1.3.1 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXrender-0.9.7 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXfixes-5.0 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXxf86vm-1.1.2 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package MesaLib-7.4.4nb6 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53558/
Package MesaLib-7.4.4nb6 has a memory-corruption vulnerability, see http://secunia.com/advisories/53662/
Package tiff-4.0.3nb2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53237/
Package tiff-4.0.3nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231
Package tiff-4.0.3nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232
Package tiff-4.0.3nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
Package libXp-1.0.1 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package curl-7.29.0nb2 has a remote-information-disclosure vulnerability, see http://secunia.com/advisories/53051/
Package curl-7.29.0nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
Package libXi-1.7nb1 has a multiple-vulnerabilities vulnerability, see http://www.debian.org/security/2013/dsa-2683
Package libXtst-1.2.1 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXinerama-1.1.2 has a arbitrary-code-execution vulnerability, see http://secunia.com/advisories/53564/
Package ruby18-base-1.8.7.371nb1 has a remote-spoofing vulnerability, see http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
Package ruby18-base-1.8.7.371nb1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package openslp-1.2.1nb6 has a denial-of-service vulnerability, see http://secunia.com/advisories/50130/
Package php-5.3.27 has a ssl-certificate-spoofing vulnerability, see http://secunia.com/advisories/54480/
Package apache-2.2.24nb1 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
Package icu-50.1.2nb1 has a unknown-impact vulnerability, see http://secunia.com/advisories/55076/
Package libXcursor-1.1.13 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXrandr-1.4.0 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package mono-2.10.9nb2 has a cross-site-scripting vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382
Package mono-2.10.9nb2 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3543
Package policykit-0.9nb13 has a privilege-escalation vulnerability, see http://secunia.com/advisories/54875/
Package libXv-1.0.7 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package libXxf86dga-1.1.3 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package mplayer-1.1nb5 has a remote-data-manipulation vulnerability, see http://secunia.com/advisories/54871/
Package ruby193-base-1.9.3p429 has a remote-spoofing vulnerability, see http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
Package ruby193-base-1.9.3p429 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363
Package webkit-gtk-1.10.1nb4 has a remote-system-access vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0912
Package libXres-1.0.6 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package librsvg-2.36.4nb1 has a information-disclosure vulnerability, see http://secunia.com/advisories/55088/
Package modular-xorg-server-1.6.5nb15 has a system-compromission vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396
Package wmmail-0.64nb3 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package nss-3.14.3 has a uninitialized-memory-read vulnerability, see http://secunia.com/advisories/55050/
Package libgdata-0.6.6nb9 has a man-in-the-middle-attack vulnerability, see http://secunia.com/advisories/48315/
Package evolution-data-server-2.32.3nb18 has a remote-information-exposure vulnerability, see http://secunia.com/advisories/45941/
Package empathy-2.34.0nb24 has a cross-site-scripting vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3635
Package gnome-screensaver-2.30.2nb13 has a local-security-bypass vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3452
Package samba-3.6.12nb2 has a denial-of-service vulnerability, see http://www.samba.org/samba/security/CVE-2013-4124
Package gnupg2-2.0.19nb3 has a denial-of-service vulnerability, see http://secunia.com/advisories/55071/
Package vino-2.28.3nb15 has a information-disclosure vulnerability, see http://secunia.com/advisories/50527/
Package vino-2.28.3nb15 has a denial-of-service vulnerability, see http://secunia.com/advisories/54995/
Package vino-2.28.3nb15 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
Package xulrunner192-1.9.2.28nb10 has a arbitrary-code-execution vulnerability, see http://secunia.com/advisories/48069/
Package xulrunner192-1.9.2.28nb10 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_base-12.1nb5 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_alsa-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_aspell-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_compat-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_openssl-12.1nb4 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libcups-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_expat-12.1nb2 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_freetype2-12.1nb2 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_fontconfig-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_x11-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_x11-12.1 has a remote-system-access vulnerability, see http://secunia.com/advisories/53882/
Package suse_x11-12.1 has a remote-system-access vulnerability, see http://secunia.com/advisories/53868/
Package suse_libdrm-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_glx-12.1nb1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libjpeg-12.1nb1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libpng-12.1nb3 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libtiff-12.1nb3 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_gtk2-12.1nb4 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_krb5-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libsigc++2-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_locale-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_openmotif-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_qt4-12.1nb3 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_slang-12.1 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package suse_libxml2-12.1nb6 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package qt4-libs-4.8.4nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046
Package qt4-libs-4.8.4nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049
Package qt4-libs-4.8.4nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050
Package qt4-libs-4.8.4nb3 has a sensitive-information-exposure vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051
Package qt4-libs-4.8.4nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052
Package qt4-libs-4.8.4nb3 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054
Package qt4-libs-4.8.4nb3 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2621
Package qt4-libs-4.8.4nb3 has a denial-of-service vulnerability, see http://secunia.com/advisories/40588/
Package qt4-libs-4.8.4nb3 has a remote-system-access vulnerability, see http://secunia.com/advisories/46140/
Package qt4-libs-4.8.4nb3 has a local-security-bypass vulnerability, see http://secunia.com/advisories/52040/
Package kdelibs4-4.8.4nb9 has a multiple-vulnerabilities vulnerability, see https://secunia.com/advisories/51097/
Package asterisk-11.2.2 has a sensitive-information-exposure vulnerability, see http://secunia.com/advisories/44452/
Package asterisk-11.2.2 has a denial-of-service vulnerability, see http://downloads.digium.com/pub/security/AST-2013-004.html
Package asterisk-11.2.2 has a denial-of-service vulnerability, see http://downloads.digium.com/pub/security/AST-2013-005.html
Package hplip-3.12.11nb3 has a privilege-escalation vulnerability, see http://secunia.com/advisories/54946/
Package ffmpeg-20130315.1.2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/36805/
Package ffmpeg-20130315.1.2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53825/
Package ffmpeg-20130315.1.2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53766/
Package ffmpeg-20130315.1.2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/54044/
Package ffmpeg-20130315.1.2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/54164/
Package ffmpeg-20130315.1.2 has a denial-of-service vulnerability, see http://secunia.com/advisories/54389/
Package py27-OpenSSL-0.13nb1 has a information-disclosure vulnerability, see http://secunia.com/advisories/54691/
Package libkdcraw-4.8.4nb7 has a remote-system-access vulnerability, see http://secunia.com/advisories/53888/
Package libkdcraw-4.8.4nb7 has a multiple-vulnerabilities vulnerability, see https://bugzilla.novell.com/show_bug.cgi?id=823113
Package subversion-base-1.7.8 has a denial-of-service vulnerability, see http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
Package subversion-base-1.7.8 has a denial-of-service vulnerability, see http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
Package xulrunner-20.0.1 has a arbitrary-code-execution vulnerability, see http://www.mozilla.org/security/announce/2013/mfsa2013-41.html
Package xulrunner-20.0.1 has a arbitrary-code-execution vulnerability, see http://www.mozilla.org/security/announce/2013/mfsa2013-49.html
Package xulrunner-20.0.1 has a arbitrary-code-execution vulnerability, see http://www.mozilla.org/security/announce/2013/mfsa2013-63.html
Package xulrunner-20.0.1 has a arbitrary-code-execution vulnerability, see http://www.mozilla.org/security/announce/2013/mfsa2013-76.html
Package firefox36-3.6.28nb8 has reached end-of-life (eol), see http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
Package firefox-20.0.1 has a remote-information-exposure vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4688
Package firefox-20.0.1 has a local-security-bypass vulnerability, see http://secunia.com/advisories/47400/
Package firefox-20.0.1 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox21
Package firefox-20.0.1 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox22
Package firefox-20.0.1 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox23
Package firefox-20.0.1 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox24
Package wireshark-1.8.8 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/54296/
Package wireshark-1.8.8 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/54765/
Package thunderbird-17.0.5 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.6
Package thunderbird-17.0.5 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.7
Package thunderbird-17.0.5 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.8
Package thunderbird-17.0.5 has a multiple-vulnerabilities vulnerability, see http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html#thunderbird17.0.9
Package mysql-server-5.5.30 has a unknown-impact vulnerability, see http://secunia.com/advisories/47894/
Package mysql-server-5.5.30 has a valid-account-enumeration vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615
Package mysql-server-5.5.30 has a denial-of-service vulnerability, see http://secunia.com/advisories/52639/
Package mysql-server-5.5.30 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53022/
Package squid-3.3.3nb1 has a denial-of-service vulnerability, see http://secunia.com/advisories/54076/
Package squid-3.3.3nb1 has a denial-of-service vulnerability, see http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
Package mutt-1.4.2.3nb5 has a signature-spoofing vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1268
Package libFS-1.0.4 has a buffer-overflow vulnerability, see http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
Package tsclient-0.132nb50 has a remote-system-access vulnerability, see http://secunia.com/advisories/43120/
Package qemu-1.3.1 has a restriction-bypass vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0011
Package qemu-1.3.1 has a privilege-escalation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1751
Package qemu-1.3.1 has a privilege-escalation vulnerability, see http://secunia.com/advisories/45187/
Package qemu-1.3.1 has a denial-of-service vulnerability, see http://secunia.com/advisories/45886/
Package qemu-1.3.1 has a buffer-overflow vulnerability, see http://secunia.com/advisories/47740/
Package qemu-1.3.1 has a local-information-disclosure vulnerability, see http://secunia.com/advisories/53032/
Package qemu-1.3.1 has a data-manipulation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2007
Package openttd-1.2.0nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/47396/
Package openttd-1.2.0nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/50042/
Package xenkernel41-4.1.4nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/53187/
Package xenkernel41-4.1.4nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/53312/
Package xenkernel41-4.1.4nb2 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/53591/
Package xenkernel41-4.1.4nb2 has a privilege-escalation vulnerability, see http://secunia.com/advisories/53686/
Package xenkernel41-4.1.4nb2 has a privilege-escalation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1432
Package xenkernel41-4.1.4nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/53797/
Package xenkernel41-4.1.4nb2 has a denial-of-service vulnerability, see http://secunia.com/advisories/54341/
Package xenkernel41-4.1.4nb2 has a information-leak vulnerability, see http://secunia.com/advisories/54838/
Package xentools41-4.1.4nb4 has a privilege-escalation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2072
Package xentools41-4.1.4nb4 has a privilege-escalation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2211
Package xentools41-4.1.4nb4 has a denial-of-service vulnerability, see http://secunia.com/advisories/54593/