NetBSD Problem Report #42688
From firstname.lastname@example.org Fri Jan 29 00:01:01 2010
Received: from mail.netbsd.org (mail.netbsd.org [220.127.116.11])
by www.NetBSD.org (Postfix) with ESMTP id 1BFA763C2BC
for <gnats-bugs@gnats.NetBSD.org>; Fri, 29 Jan 2010 00:01:01 +0000 (UTC)
Date: Fri, 29 Jan 2010 09:00:58 +0900
Subject: old acroread packages should be removed, because of security risks
>Synopsis: old acroread packages should be removed, because of security risks
>Arrival-Date: Fri Jan 29 00:05:00 +0000 2010
>Last-Modified: Fri Jan 29 18:48:31 +0000 2010
>Originator: SODA Noriyuki
>Release: NetBSD 5.0.1
System: NetBSD heab 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC 2009 email@example.com:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
acroread, acroread5, acroread7, and acroread8 packages
should be removed from pkgsrc. because:
- All of them have severe security holes.
- All of them are not maintained anymore.
> Adobe have discontinued support for Adobe Reader 8 for Linux.
- There are several alternative PDF readers which are usable.
e.g. epdfview, evince, ... (acroread 9 is desirable too, though)
- The risks to continue to use these packages are high.
There are lots of 0-days attacks against Acrobat reader
(and Flashplayer) these days.
And even trustworthy web sites are not really trustworthly these days
due to the Gumblar virus and its variants which steal passwords
of web admins.
And antivirus vendors claim that there is a treat of PDF viruses
against linux too:
Since acroread is a linux binary, nearly all PDF viruses against
linux do work against NetBSD too, unless the virus relies on a
linux-specific kernel hole.
If it's a TeX source file, security risks could be practically
avoided by knowledgeable users. But the risks about PDF files
cannot be avoided even by knowledgeable users these days.
- Having them in pkgsrc gives false impression to our users
that there is a secure way to continue to use them.
cvs remove && cvs ci
Responsible-Changed-When: Fri, 29 Jan 2010 18:48:31 +0000
Assign to proponent of the move.
$NetBSD: query-full-pr,v 1.36 2007/11/24 03:27:39 kano Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.