On Tue, Apr 24, 2001 at 12:07:56PM -0700, Bruce A. Mah wrote:
> If memory serves me right, Kris Kennaway wrote:
>
> Couple o' random thoughts, don't have time to look into this myself...
>
> > This could be done as an extension to pkg_version, since much of the
> > code you will need to manage versions is already there, and it's a
> > logical extension of that program's function.
>
> Or you can use pkg_version's -t flag to help with the comparisons if
> you think running as a separate script is better.
>
> > NetBSD have a port called audit-packages which does something similar,
> > but not quite the same as the above (last I checked) -- it might still
> > be useful as a starting point.
>
> Think about where to put the parsed set of vulnerable packages. It
> might live under /usr/ports or reside somewhere on the network. Use
> fetch(1) to grab it from there, like pkg_version does for the INDEX
> file.
The advisories live in a well-known place
(ftp://ftp.freebsd.org/pub/CERT/advisories): an algorithm might be to
check the directory for any new files, and mirror them locally to
e.g. /var/db/advisories to save on bandwidth the next time the script is run.
The script can also display chunks of the advisory to describe the
details of a vulnerability it finds.
Kris
PGP signature
