From owner-freebsd-hackers  Tue Apr 24 12:28: 3 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP id 039C737B422
	for <freebsd-hackers@FreeBSD.ORG>; Tue, 24 Apr 2001 12:27:59 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 72CF366DF6; Tue, 24 Apr 2001 12:27:58 -0700 (PDT)
Date: Tue, 24 Apr 2001 12:27:58 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Andrew R. Reiter" <arr@watson.org>
Cc: Kris Kennaway <kris@obsecurity.org>, Rich Morin <rdm@cfcl.com>,
	freebsd-hackers@FreeBSD.ORG
Subject: Re: automated checking of Security Advisories
Message-ID: <20010424122758.A90366@xor.obsecurity.org>
References: <20010424121130.C89819@xor.obsecurity.org> <Pine.NEB.3.96L.1010424151816.20031B-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1010424151816.20031B-100000@fledge.watson.org>; from arr@watson.org on Tue, Apr 24, 2001 at 03:22:05PM -0400
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 24, 2001 at 03:22:05PM -0400, Andrew R. Reiter wrote:
> On Tue, 24 Apr 2001, Kris Kennaway wrote:
>=20
> >=20
> > pkg_version may be a logical place to stick this functionality since
> > it already has code for parsing version numbers.
>=20
> Ya... I think it would be wise to somehow include validating of the
> security advisories too when doing these checks.  Im not sure how this
> tool will know which packages are vulnerable (Im assuming a config file of
> sorts), but it would be a smart thing to include some pgp key validation
> of each of the advisory vulns the tool is looking for.

Each of the security advisories is signed as they go out, so if the
"affected versions" regexp is in the signed copy, they can just check
the signature using whichever PGP utility the script knows about,
which may be installed.

This is another reason why having a third-party modifying the advisory
to mark it up into XML is a bad idea; you lose the integrity
protection from the PGP signature.

Kris

--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE65dO9Wry0BWjoQKURAgdzAJ4nJSUFcM89CBIzPvo92wbJRsrcuACfSjLE
bKc+8RXO9nJ9FAOQf5nCatg=
=faDI
-----END PGP SIGNATURE-----

--HcAYCG3uE/tztfnV--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message