On Thu Sep 25, 2003 at 11:54:20PM -0400, Albert Whale wrote: > My Apologies Vincent, I didn't mean to post in HTML, but XP Blew up last > night on my laptop, and killed my Netscape preferences, I'm still > recovering. Thantks, I';ve switched to Text mode.
Thank you. Now if you could work on not setting your reply-to explicitly, that would be really handy. > >My response will be short simply due to the fact that you posted in html > >and > >I can't quote it and can't be bothered to cut-n-paste. > > > My apologies. > > > > >Every Mandrake advisory includes the CVE names for the correlating problem. > >Trying using the CVE search mechanism on MandrakeSecure. That should be > >adequate. Nessus tells you CVE-bla-bla, you go to MandrakeSecure and do > >the > >CVE search for CVE-bla-bla, and immediately you find what advisories, if > >any > >deal with that CVE name. > > > > > I think that having the CVE to MDKSA posted as a Table would be more > beneifical. I'm sure that your developers have taken great strides to > apply patches on the src rpms, all driven by the CVEs. I'm only asking > for a table depicting the CVEs, and MDKSA (with the actual RPM Name) Per OS. That likely won't be happening anytime soon. In my mind, this is a project for a boring day when you're not in the mood to play games. Seriously, while I think it sounds interesting, and may be of passing interest to a bean counter who's into excel sheets and such, for someone with moderate intelligence to go "ok, nessus gave me this CVE, so I go to MandrakeSecure, punch in the CVE name in the 'Search CVE' text box, press enter, ok, there i see the CVE name listed, click on the associated MDKSA name that is right next to it, and i get all the info on the vuln and all the packages that fixed it" is a 10 second job, depending on the speed of your net connection. I really don't think it's that difficult. What you're proposing is just "pretty". Like a little pink ribbon on the back of a dress. Kinda cute, but functionally useless. I don't mean to put down your idea, it is, after all, a decent idea. The problem is in the implementation and I just do not have the time or inclination to do something like this at this time, and likely not for quite a while. There are just too many other things that have a higher priority. The information is all there... you just need to look. Think of it as a mini-google. You *do* use google when you want to get info on something, right? You don't just go somewhere and expect to find a pretty chart? =) > >And contrary to your shouting, I have nothing against Nessus... I like it. > >But I'm not gonna turn around name packages > >"openssh-3.6.1p2-CVE-2003-xxxx-1.1mdk" just so you can avoid using a very > >simple search field on the website. > > > I guess my point was missed. We don't want to perform queries. Unless > the PHP or HTML Page we pull up from MandrakeSecure Queries the Data to > sort it and correlate the CVEs and the MDKSAs (and RPM names). This is > what the Management Teams want to see, one page (maybe more), of > Vulnerabilities to Updates. Thus while you're going through the chart > of vulnerabilities, we can EASILY Correlate one page to the report. Do > you really want all of us querying the CVEs for each server?? Sure. Ok, let's put it this way. Your management wants this? Talk to me off list, I'll give you my rates, and I'll do something up custom for you. I'll make it *real* pretty. If your management teams want this, they should be willing to pay for it, no? Heck, no one else does this so it's not like they should be expecting it or it's some "industry standard". Anyways, if all your boxes are using Mandrake, just look at the one advisory. It lists the packages and their md5sums for all the distros. > Apologies if you thought that I was hollering, as I wasn't. Just > thinking aloud to stress a point. We work with Mandrake and Nessus to > make the Security Issues disappear. Making it easier to perform our > duties benefits all of us. I agree. But I think it's pretty easy right now, which means I will either need to really be convinced, or someone will have to make it worth my while to implement. If your management thinks this is so important, they shouldn't have a problem paying for the development time. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
