Hello List, Chandra and i had a disscusion how to handle linux tests. The problem is, that most linux distros provides patches for vulnerabilities which not change the version of the fixed program. So local security checks are not useful in that case. For example cups package on Suse linux 10.3 which is version 1.2.12-22.17 . Last Security announcement for cups says that every version below 1.3.9 is vulnerable. But this Suse Version is a patched non vulnerable version. So checking for Version < 1.3.9 will give a false positive. I think it is nessesary to check which distro is used and the script then have to check for distro specific version numbers like the securityspace debian scripts are doing. Chandra has made the following proposals.
=== Schnipp === Hello Carsten, This is one of the issue with Linux based scripts. I raised this in IRC, no response came. The issue is, 1. As you have pointed, most of the Linux distros have their own packages and versions and updates are released much later than vulnerabilities are disclosed to the public. 2. There are tar package installations (some might prefer downloading and installing on their own) that are actual package versions. To these, most of the time, as soon as vulnerabilities are disclosed to the public, patch is made available. In my view, both these have to be verified. The way to go about it would be, Option 1: 1. Release the plugin assuming the public release version (not distros package version). 2. When updated packages are made available by each vendor, develop local checks (automated checks) and add a check in #1 to see which Linux distro it is and based on that, either, a) exit() if the local check is available. If not, proceed with checking. or b) Launch the local check for the specific distro by adding that as a dependency Option 2: 1. Maintain a backport version of each package for each Linux distribution in an inc. 2. Check for the backported version based on the Linux distribution 3. Towards the end of the plugin, we can check for manually installed original version. Option #2 would be ideal to do, but requires good amount of work initially to capture versions for each package and keep that up to date every time an update is released. Please let me know your views. Thanks, Chandra. === Schnapp === Please let us know your views. -- Gruss Carsten Koch-Mauthe http://www.dn-systems.de mail: [EMAIL PROTECTED] DN-Systems Enterprise Internet Solutions GmbH Hornemannstr. 11 31137 Hildesheim, Germany Tel. +49-5121-28989-0 Fax. +49-5121-28989-11 21 Sunrise Ct, S.San Francisco, CA 94080, USA Tel. +1-650-472-2512 Mob. +1-650-430-1219 Handelsregister HRB-3213 Amtsgericht Hildesheim Geschäftsführer Lukas Grunwald _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
