From owner-freebsd-stable Tue Apr 24 13: 8:54 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 08FED37B422; Tue, 24 Apr 2001 13:08:49 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6C6E766DF6; Tue, 24 Apr 2001 13:08:48 -0700 (PDT) Date: Tue, 24 Apr 2001 13:08:48 -0700 From: Kris Kennaway To: Sean Chittenden Cc: Kris Kennaway , Calvin NG , Sean Chittenden , Jeff Kletsky , freebsd-stable@FreeBSD.ORG, bmah@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424130848.C91239@xor.obsecurity.org> References: <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> <2001@=> <20010424125216.L19530@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Qbvjkv9qwOGw/5Fx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010424125216.L19530@rand.tgd.net>; from sean@chittenden.org on Tue, Apr 24, 2001 at 12:52:16PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:52:16PM -0700, Sean Chittenden wrote: > Alright, I'll see if I can whip something out over the next > few days. What kind of advisories do you want to support? I'm > assuming BSD and that's it... maybe CERT. The only practical ones would be the FreeBSD advisories; they're the only ones which relate to the FreeBSD Ports Collection directly. > > Parses a set of ports security advisories, extracts a list of > > vulnerable package versions described in some form (regex/glob > > expression/etc) and checks for any vulnerable packages installed. >=20 > Why not setup a mirrorable, online index of all ports that are > forbidden. Have it run over HTTP so that proxy support should be > cake, and ... rest's history. I'd prefer not to have to maintain a separate database, because history tells us that it will become stale. > Yeah, why not. With a tool like this, it'd make security > apart of an SA's daily routine. Tonight I'll dive through my archived > mail and look for a few advisories to model after. Is there a central > clearing house for all advisories, or some kind of database that can > be queried? Are advisories distributed with a system? I haven't seen > them in my cvsup logs, but this wouldn't be the first thing I've > glanced over and not noticed (ex: pkg_version). -sc We've talked about sticking them in the CVS repo, but they're not currently there (besides, most people don't cvsup the www collection, where they'd probably live). The FTP site is the only canonical location which everyone has access to. Kris --Qbvjkv9qwOGw/5Fx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65d1PWry0BWjoQKURAlwwAKDejtFm56CyhpEEpwLyPkVhvlIUrgCdGaeW pYxoGyhRjLH3gYgcD2G//tE= =1AuU -----END PGP SIGNATURE----- --Qbvjkv9qwOGw/5Fx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message