From owner-freebsd-security  Thu Sep 21  1:27: 3 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id AFACD37B422; Thu, 21 Sep 2000 01:27:00 -0700 (PDT)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA89897;
	Thu, 21 Sep 2000 01:27:00 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Thu, 21 Sep 2000 01:27:00 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Roman Shterenzon <roman@xpert.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Package Vulnerability scanner (CVS commit: pkgsrc (fwd))
In-Reply-To: <Pine.LNX.4.10.10009210942110.30586-100000@jamus.xpert.com>
Message-ID: <Pine.BSF.4.21.0009210121190.88596-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 21 Sep 2000, Roman Shterenzon wrote:

> I can build a perl script which will:
> 1) download advisories
> 2) pgp check them
> 3) check the a)pkg version (if fixed in later version) b)install date of
> a package (if fixed only in ports) vs. the "fixed" date in the advisory.
> 4) optional - delete and install newer version.

Hmm. Thats an interesting idea - if we use a consistent description format
in the advisory (and upload them in a timely manner to a repository -
which will happen now that I have access to the FTP site) then the scanner
can be essentially self-updating.

I actually haven't looked at the NetBSD implementation I forwarded, but I
think it's just a static database of vulnerable packages which must be
manually updated on the ftp site.

With the new package versioning system, each security fix will cause a
version update of the package version number, making detection of
vulnerable versions easy.

Upgrading the package is not so easy when it has dependencies - this is a
problem which we've wanted someone to come along and solve for ages now,
but if you want to have a crack at it it would also be great.

Thanks for your offer of help!

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message