Date: Tue, 24 Apr 2001 12:27:58 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Andrew R. Reiter" <arr@watson.org> Cc: Kris Kennaway <kris@obsecurity.org>, Rich Morin <rdm@cfcl.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: automated checking of Security Advisories Message-ID: <20010424122758.A90366@xor.obsecurity.org> In-Reply-To: <Pine.NEB.3.96L.1010424151816.20031B-100000@fledge.watson.org>; from arr@watson.org on Tue, Apr 24, 2001 at 03:22:05PM -0400 References: <20010424121130.C89819@xor.obsecurity.org> <Pine.NEB.3.96L.1010424151816.20031B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 03:22:05PM -0400, Andrew R. Reiter wrote: > On Tue, 24 Apr 2001, Kris Kennaway wrote: >=20 > >=20 > > pkg_version may be a logical place to stick this functionality since > > it already has code for parsing version numbers. >=20 > Ya... I think it would be wise to somehow include validating of the > security advisories too when doing these checks. Im not sure how this > tool will know which packages are vulnerable (Im assuming a config file of > sorts), but it would be a smart thing to include some pgp key validation > of each of the advisory vulns the tool is looking for. Each of the security advisories is signed as they go out, so if the "affected versions" regexp is in the signed copy, they can just check the signature using whichever PGP utility the script knows about, which may be installed. This is another reason why having a third-party modifying the advisory to mark it up into XML is a bad idea; you lose the integrity protection from the PGP signature. Kris --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65dO9Wry0BWjoQKURAgdzAJ4nJSUFcM89CBIzPvo92wbJRsrcuACfSjLE bKc+8RXO9nJ9FAOQf5nCatg= =faDI -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424122758.A90366>