From owner-freebsd-vuxml@FreeBSD.ORG Mon Oct 18 00:13:10 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18B1C16A4CE for ; Mon, 18 Oct 2004 00:13:10 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE34643D2F for ; Mon, 18 Oct 2004 00:13:09 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 134E13D37 for ; Sun, 17 Oct 2004 20:13:02 -0400 (EDT) Date: Sun, 17 Oct 2004 20:13:02 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: freebsd-vuxml@freebsd.org Message-ID: <20041017201037.V55729@xeon.unixathome.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 00:13:10 -0000 Hi folks: I have portaudit installed. Each morning I get notified if there are any vulnerabilities that I should know about. That's good. I think portaudit should also tell me if it knows there is a fix available in the tree. That would immediately tell me that I can cvsup and get the problem fixed. Comments? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Tue Oct 19 15:00:18 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F75716A4D8 for ; Tue, 19 Oct 2004 15:00:18 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 089B143D41 for ; Tue, 19 Oct 2004 15:00:18 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 7F7235487F; Tue, 19 Oct 2004 10:00:17 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 45427-03; Tue, 19 Oct 2004 10:00:07 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id F328B54840; Tue, 19 Oct 2004 10:00:06 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id D2A476D468; Tue, 19 Oct 2004 09:59:52 -0500 (CDT) Date: Tue, 19 Oct 2004 09:59:52 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20041019145952.GA22119@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20041017201037.V55729@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041017201037.V55729@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 15:00:18 -0000 On Sun, Oct 17, 2004 at 08:13:02PM -0400, Dan Langille wrote: > Hi folks: > > I have portaudit installed. Each morning I get notified if there are any > vulnerabilities that I should know about. That's good. > > I think portaudit should also tell me if it knows there is a fix available > in the tree. That would immediately tell me that I can cvsup and get the > problem fixed. > > Comments? The VuXML format contains only which packages are affected, and not an direct indicator whether or not a fix has been applied. This is by design. Including that information would be redundant. From VuXML, you know what package versions are affected. From the Ports Collection, you know what package versions are available. A tool such as portaudit could compute whether a fix is available or not for you. It might be a nice feature. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Oct 19 20:41:02 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D592C16A4CE; Tue, 19 Oct 2004 20:41:02 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C7C843D46; Tue, 19 Oct 2004 20:41:02 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 049603D37; Tue, 19 Oct 2004 16:41:01 -0400 (EDT) Date: Tue, 19 Oct 2004 16:41:01 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20041019145952.GA22119@madman.celabo.org> Message-ID: <20041019163753.U74644@xeon.unixathome.org> References: <20041017201037.V55729@xeon.unixathome.org> <20041019145952.GA22119@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 20:41:02 -0000 On Tue, 19 Oct 2004, Jacques A. Vidrine wrote: > On Sun, Oct 17, 2004 at 08:13:02PM -0400, Dan Langille wrote: > > Hi folks: > > > > I have portaudit installed. Each morning I get notified if there are any > > vulnerabilities that I should know about. That's good. > > > > I think portaudit should also tell me if it knows there is a fix available > > in the tree. That would immediately tell me that I can cvsup and get the > > problem fixed. > > > > Comments? > > The VuXML format contains only which packages are affected, and not > an direct indicator whether or not a fix has been applied. This is > by design. Including that information would be redundant. From > VuXML, you know what package versions are affected. From the Ports > Collection, you know what package versions are available. My thoughts were that an additional field could easily be added that indicated whether or not a fix had been applied to the Ports Collection. This would enabled portaudit to report immediately. > A tool such as portaudit could compute whether a fix is available or > not for you. It might be a nice feature. It would be a useful feature. It would save many admins quite a bit of time. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Tue Oct 19 21:33:55 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B050416A4CE for ; Tue, 19 Oct 2004 21:33:55 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56A8943D4C for ; Tue, 19 Oct 2004 21:33:55 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id D302B5485D; Tue, 19 Oct 2004 16:33:54 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 49447-04; Tue, 19 Oct 2004 16:33:44 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 36F835482B; Tue, 19 Oct 2004 16:33:44 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 16FB06D468; Tue, 19 Oct 2004 16:33:30 -0500 (CDT) Date: Tue, 19 Oct 2004 16:33:30 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20041019213329.GB45466@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20041017201037.V55729@xeon.unixathome.org> <20041019145952.GA22119@madman.celabo.org> <20041019163753.U74644@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041019163753.U74644@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 21:33:55 -0000 On Tue, Oct 19, 2004 at 04:41:01PM -0400, Dan Langille wrote: > My thoughts were that an additional field could easily be added It could be easily added, but I'm not sure that it would be easily maintained. Today, we can fairly accurately predict what currently non-existent versions of the port will be fixed when we fill out . That means that in the vast majority of cases, when the port has been fixed, no one needs to do anything special: the new version automatically shows up as not affected. If we make this explicit instead, then it is extra work. Additionally, there is the evil of duplicating data, which I mostly want to avoid. But, why not throw out a strawman example of what you mean so that we can get more discussion going about it? > that indicated whether or not a fix had been applied to the Ports > Collection. This would enabled portaudit to report immediately. > > > A tool such as portaudit could compute whether a fix is available or > > not for you. It might be a nice feature. > > It would be a useful feature. Maybe the portaudit author will add it. It is mostly trivial. I can, however, think of at least one edge case where it is *not* trivial--- e.g. the `fix' involves a change in the package name. > It would save many admins quite a bit of time. How so? (serious question) Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Wed Oct 20 00:32:15 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5810816A4D0; Wed, 20 Oct 2004 00:32:15 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2101643D1D; Wed, 20 Oct 2004 00:32:15 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 233F23D37; Tue, 19 Oct 2004 20:32:14 -0400 (EDT) Date: Tue, 19 Oct 2004 20:32:13 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: "Jacques A. Vidrine" In-Reply-To: <20041019213329.GB45466@madman.celabo.org> Message-ID: <20041019202849.Q99899@xeon.unixathome.org> References: <20041017201037.V55729@xeon.unixathome.org> <20041019163753.U74644@xeon.unixathome.org> <20041019213329.GB45466@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 00:32:15 -0000 On Tue, 19 Oct 2004, Jacques A. Vidrine wrote: > > It would save many admins quite a bit of time. > > How so? (serious question) I don't have time just now to answer the other questions but I can answer this one. Portaudit tells me that port xyz is vulnerable. But there there is no fix. How do I know when there is a fix? Only by checking FreshPorts, cvs logs, the ports tree, trying to install the port, portupgrade, etc. I could do this daily for days without a fix. Instead, if portaudit reported that port xyz is vulernable and that there is a fix (if there actually is a fix), then all I need to do is monitor my daily security email that automagically includes the output of portaudit. I can then instantly know that it's time to run portupgrade on port xyz. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/