From owner-freebsd-stable Tue Apr 24 12:35:23 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 9C92B37B424; Tue, 24 Apr 2001 12:35:18 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E401A66E1F; Tue, 24 Apr 2001 12:35:17 -0700 (PDT) Date: Tue, 24 Apr 2001 12:35:17 -0700 From: Kris Kennaway To: "Bruce A. Mah" Cc: Kris Kennaway , Sean Chittenden , Calvin NG , Sean Chittenden , Jeff Kletsky , freebsd-stable@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424123517.A90547@xor.obsecurity.org> References: <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> <200104241907.f3OJ7u103414@bmah-freebsd-0.cisco.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104241907.f3OJ7u103414@bmah-freebsd-0.cisco.com>; from bmah@FreeBSD.ORG on Tue, Apr 24, 2001 at 12:07:56PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:07:56PM -0700, Bruce A. Mah wrote: > If memory serves me right, Kris Kennaway wrote: >=20 > Couple o' random thoughts, don't have time to look into this myself... >=20 > > This could be done as an extension to pkg_version, since much of the > > code you will need to manage versions is already there, and it's a > > logical extension of that program's function. >=20 > Or you can use pkg_version's -t flag to help with the comparisons if=20 > you think running as a separate script is better. >=20 > > NetBSD have a port called audit-packages which does something similar, > > but not quite the same as the above (last I checked) -- it might still > > be useful as a starting point. >=20 > Think about where to put the parsed set of vulnerable packages. It=20 > might live under /usr/ports or reside somewhere on the network. Use=20 > fetch(1) to grab it from there, like pkg_version does for the INDEX=20 > file. The advisories live in a well-known place (ftp://ftp.freebsd.org/pub/CERT/advisories): an algorithm might be to check the directory for any new files, and mirror them locally to e.g. /var/db/advisories to save on bandwidth the next time the script is ru= n. The script can also display chunks of the advisory to describe the details of a vulnerability it finds. Kris --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65dV1Wry0BWjoQKURAnd9AKD1qALB5TvjPuP0+w++H4XxpXltPQCgqFQP ih0GN0aA5/yB/XOp5bcuI3A= =Hk8i -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message