Outdated dependencies at ftp.gnome.org (was: Makeing librsvg work (bizp2.dll missing))

[Hartmut Goebel <h goebel goebel-consult de>]

Hartmut Goebel schrieb:
> Tor Lillqvist schrieb:
>
> > There is also a libbzip2 package on ftp.gnome.org:
> http://ftp.gnome.org/pub/GNOME/binaries/win32/dependencies/libbzip2-1.0.2.zip
>
> Thanks for this pointer! I did not recognise the 'dependencies'
> directory. It would have made my life much, much easier :-)

After having a real look at the 'dependencies' directory, I'm horrified!
I checked four packages and they are *all* outdated and contain security
bugs. Only a few examples of vulnerabilities for these versions:

- libxml2 2.6.27: CVE-2008-3529, CVSS Severity: 10.0 (HIGH)
- libbzip2 1.0.2: CVE-2008-1372, CVSS Severity: 4.3 (MEDIUM)
- openssl 0.9.7c: CVE-2006-3738, CVSS Severity: 10.0 (HIGH)
- gnutls 2.4.1:   CVE-2008-4989, CVSS Severity: 4.3 (MEDIUM)
- gnutls 2.2.5:   CVE-2008-1948, CVSS Severity: 10.0 (HIGH)

Now I' at my wits' end!

There seams to be no reliable source for third party libraries, GTK+
depends on, which is compatible with GTK+. With reliable I mean: have
(at least nearly) up-to-date versions esp. if security fixes are published.

As I wrote earlier: I'm currently writing some tool to collect all the
dependencies for Tryton (www.tryton.org), an Open Source (GPL) ERP
system. But I can not put outdated and insecure software into the
development environment of somebody else! The one bundling the Tryton
windows installer will not be able to maintain it. He has no chance of
getting security holes fixed!

What should I do?

-- 
Schönen Gruß - Regards
Hartmut Goebel
Dipl.-Informatiker (univ.), CISSP, CSSLP

Goebel Consult
Spezialist für IT-Sicherheit in komplexen Umgebungen
http://www.goebel-consult.de

Monatliche Kolumne:
<http://www.all-about-security.de/kolumnen/cissp-gefluester/>

Goebel Consult mit Mitglied bei <http://www.7-it.de>