Date: Tue, 24 Apr 2001 13:08:48 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Sean Chittenden <sean@chittenden.org> Cc: Kris Kennaway <kris@obsecurity.org>, Calvin NG <calvinng@brel.com>, Sean Chittenden <sean-freebsd-stable@chittenden.org>, Jeff Kletsky <Jeff+freebsd@wagsky.com>, freebsd-stable@FreeBSD.ORG, bmah@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424130848.C91239@xor.obsecurity.org> In-Reply-To: <20010424125216.L19530@rand.tgd.net>; from sean@chittenden.org on Tue, Apr 24, 2001 at 12:52:16PM -0700 References: <Pine.BSF.4.21.0104230806060.27435-100000@wildside.wagsky.com> <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> <2001@=> <20010424125216.L19530@rand.tgd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:52:16PM -0700, Sean Chittenden wrote: > Alright, I'll see if I can whip something out over the next > few days. What kind of advisories do you want to support? I'm > assuming BSD and that's it... maybe CERT. The only practical ones would be the FreeBSD advisories; they're the only ones which relate to the FreeBSD Ports Collection directly. > > Parses a set of ports security advisories, extracts a list of > > vulnerable package versions described in some form (regex/glob > > expression/etc) and checks for any vulnerable packages installed. >=20 > Why not setup a mirrorable, online index of all ports that are > forbidden. Have it run over HTTP so that proxy support should be > cake, and ... rest's history. I'd prefer not to have to maintain a separate database, because history tells us that it will become stale. > Yeah, why not. With a tool like this, it'd make security > apart of an SA's daily routine. Tonight I'll dive through my archived > mail and look for a few advisories to model after. Is there a central > clearing house for all advisories, or some kind of database that can > be queried? Are advisories distributed with a system? I haven't seen > them in my cvsup logs, but this wouldn't be the first thing I've > glanced over and not noticed (ex: pkg_version). -sc We've talked about sticking them in the CVS repo, but they're not currently there (besides, most people don't cvsup the www collection, where they'd probably live). The FTP site is the only canonical location which everyone has access to. Kris --Qbvjkv9qwOGw/5Fx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65d1PWry0BWjoQKURAlwwAKDejtFm56CyhpEEpwLyPkVhvlIUrgCdGaeW pYxoGyhRjLH3gYgcD2G//tE= =1AuU -----END PGP SIGNATURE----- --Qbvjkv9qwOGw/5Fx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424130848.C91239>