Date: Thu, 21 Sep 2000 01:27:00 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Roman Shterenzon <roman@xpert.com> Cc: freebsd-security@freebsd.org Subject: Re: Package Vulnerability scanner (CVS commit: pkgsrc (fwd)) Message-ID: <Pine.BSF.4.21.0009210121190.88596-100000@freefall.freebsd.org> In-Reply-To: <Pine.LNX.4.10.10009210942110.30586-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Sep 2000, Roman Shterenzon wrote: > I can build a perl script which will: > 1) download advisories > 2) pgp check them > 3) check the a)pkg version (if fixed in later version) b)install date of > a package (if fixed only in ports) vs. the "fixed" date in the advisory. > 4) optional - delete and install newer version. Hmm. Thats an interesting idea - if we use a consistent description format in the advisory (and upload them in a timely manner to a repository - which will happen now that I have access to the FTP site) then the scanner can be essentially self-updating. I actually haven't looked at the NetBSD implementation I forwarded, but I think it's just a static database of vulnerable packages which must be manually updated on the ftp site. With the new package versioning system, each security fix will cause a version update of the package version number, making detection of vulnerable versions easy. Upgrading the package is not so easy when it has dependencies - this is a problem which we've wanted someone to come along and solve for ages now, but if you want to have a crack at it it would also be great. Thanks for your offer of help! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009210121190.88596-100000>