summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/audit-packages/Makefile5
-rwxr-xr-xsecurity/audit-packages/files/audit-packages27
-rw-r--r--security/audit-packages/files/audit-packages.081
-rw-r--r--security/audit-packages/files/audit-packages.89
-rw-r--r--security/audit-packages/files/download-vulnerability-list3
5 files changed, 69 insertions, 56 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
index 270a8ed2e7b..e0dcd864f37 100644
--- a/security/audit-packages/Makefile
+++ b/security/audit-packages/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.59 2005/08/04 12:02:59 rillig Exp $
+# $NetBSD: Makefile,v 1.60 2005/10/20 10:26:54 agc Exp $
-DISTNAME= audit-packages-1.38
+DISTNAME= audit-packages-1.39
CATEGORIES= security pkgtools
MASTER_SITES= # empty
DISTFILES= # empty
@@ -30,6 +30,7 @@ do-build:
-e 's|@FETCH_CMD_SHORT@|${FETCH_CMD:T}|g' \
-e 's|@PKGSRCDIR@|${PKGSRCDIR}|g' \
-e 's|@PKG_TOOLS_BIN@|${PKG_TOOLS_BIN}|g' \
+ -e 's|@PREFIX@|${PREFIX}|g' \
-e 's|@SH@|${SH}|g' \
-e 's|@DIGEST@|${DIGEST}|g' \
-e 's|@CHMOD@|${CHMOD}|g' \
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
index 6f60d15c177..d13c97f7766 100755
--- a/security/audit-packages/files/audit-packages
+++ b/security/audit-packages/files/audit-packages
@@ -1,6 +1,6 @@
#! @SH@
#
-# $NetBSD: audit-packages,v 1.22 2005/08/04 12:02:59 rillig Exp $
+# $NetBSD: audit-packages,v 1.23 2005/10/20 10:26:54 agc Exp $
#
# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved.
#
@@ -50,19 +50,28 @@ fi
vuls="${PKGVULNDIR}/pkg-vulnerabilities"
+download=no
verbose=no
while [ $# -gt 0 ]; do
case "$1" in
+ -d) download=yes ;;
-v) verbose=yes ;;
esac
shift
done
+# try to download vulnerability list, as requested
+# the integrity of the list is checked below
+# so just issue a warning if there was a failure
+case "$download" in
+yes) @PREFIX@/sbin/download-vulnerability-list || \
+ echo "***WARNING***: download-vulnerability-list failure" 1>&2;;
+esac
+
errmsg=""
# check for missing vulnerabilities file
-if [ ! -f "$vuls" ]
-then
+if [ ! -f "$vuls" ]; then
errmsg="Missing vulnerabilities file $vuls"
errsolution="$ERR_DOWNLOAD"
fi
@@ -78,8 +87,7 @@ esac
case "$errmsg" in
"") # check that pkg_info is new enough (supports ranges)
- if [ `@PKG_TOOLS_BIN@/pkg_info -V` -lt "$PKG_INSTALL_REQUIRED" ]
- then
+ if [ `@PKG_TOOLS_BIN@/pkg_info -V` -lt "$PKG_INSTALL_REQUIRED" ]; then
errmsg='Installed pkg_info is too old.'
errsolution="$ERR_PKGINSTALL"
fi
@@ -90,15 +98,12 @@ case "$errmsg" in
"") # check format version of vulnerabilities file
file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1] }' "$vuls"`
file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2] }' "$vuls"`
- if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]
- then
+ if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then
errmsg="No file format version found in $vuls"
errsolution="$ERR_DOWNLOAD"
- elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]
- then
+ elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then
errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
- if [ "$file_major" -le "$FORMAT_MAJOR" ]
- then
+ if [ "$file_major" -le "$FORMAT_MAJOR" ]; then
errsolution="$ERR_DOWNLOAD"
else
errsolution="$ERR_UPGRADE"
diff --git a/security/audit-packages/files/audit-packages.0 b/security/audit-packages/files/audit-packages.0
index f39933a1a3c..52f5e0de014 100644
--- a/security/audit-packages/files/audit-packages.0
+++ b/security/audit-packages/files/audit-packages.0
@@ -1,11 +1,11 @@
AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8)
NNAAMMEE
- aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in
+ aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in
installed packages
SSYYNNOOPPSSIISS
- aauuddiitt--ppaacckkaaggeess [--vv]
+ aauuddiitt--ppaacckkaaggeess [--ddvv]
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt
DDEESSCCRRIIPPTTIIOONN
@@ -14,7 +14,9 @@ DDEESSCCRRIIPPTTIIOONN
dard output. This output contains the name and version of the package,
the type of vulnerability, and an URL for further information for each
vulnerable package. If the --vv option is specified, aauuddiitt--ppaacckkaaggeess will
- warn when the vulnerabilities file is more than a week old.
+ warn when the vulnerabilities file is more than a week old. The --dd
+ option will attempt to download this vulnerabilities file before scanning
+ the installed packages for vulnerabilities.
The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads this file from
_f_t_p_:_/_/_f_t_p_._N_e_t_B_S_D_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_p_a_c_k_a_g_e_s_/_d_i_s_t_f_i_l_e_s_/_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
@@ -25,40 +27,40 @@ DDEESSCCRRIIPPTTIIOONN
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information. The type of exploit can
be any text, although some common types of exploits listed are:
- oo cross-site-html
- oo cross-site-scripting
- oo denial-of-service
- oo file-permissions
- oo local-access
- oo local-code-execution
- oo local-file-read
- oo local-file-removal
- oo local-file-write
- oo local-root-file-view
- oo local-root-shell
- oo local-symlink-race
- oo local-user-file-view
- oo local-user-shell
- oo privacy-leak
- oo remote-code-execution
- oo remote-command-inject
- oo remote-file-creation
- oo remote-file-read
- oo remote-file-view
- oo remote-file-write
- oo remote-key-theft
- oo remote-root-access
- oo remote-root-shell
- oo remote-script-inject
- oo remote-server-admin
- oo remote-use-of-secret
- oo remote-user-access
- oo remote-user-file-view
- oo remote-user-shell
- oo unknown
- oo weak-authentication
- oo weak-encryption
- oo weak-ssl-authentication
+ ++oo cross-site-html
+ ++oo cross-site-scripting
+ ++oo denial-of-service
+ ++oo file-permissions
+ ++oo local-access
+ ++oo local-code-execution
+ ++oo local-file-read
+ ++oo local-file-removal
+ ++oo local-file-write
+ ++oo local-root-file-view
+ ++oo local-root-shell
+ ++oo local-symlink-race
+ ++oo local-user-file-view
+ ++oo local-user-shell
+ ++oo privacy-leak
+ ++oo remote-code-execution
+ ++oo remote-command-inject
+ ++oo remote-file-creation
+ ++oo remote-file-read
+ ++oo remote-file-view
+ ++oo remote-file-write
+ ++oo remote-key-theft
+ ++oo remote-root-access
+ ++oo remote-root-shell
+ ++oo remote-script-inject
+ ++oo remote-server-admin
+ ++oo remote-use-of-secret
+ ++oo remote-user-access
+ ++oo remote-user-file-view
+ ++oo remote-user-shell
+ ++oo unknown
+ ++oo weak-authentication
+ ++oo weak-encryption
+ ++oo weak-ssl-authentication
By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
tory. This can be changed by defining the environment variable
@@ -123,8 +125,7 @@ DDIIAAGGNNOOSSTTIICCSS
Update the _p_k_g_t_o_o_l_s_/_p_k_g___i_n_s_t_a_l_l package.
SSEEEE AALLSSOO
- pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/defaults/mk.conf
- and
+ pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/defaults/mk.conf and
_D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m. @PKGSRCDIR@/doc/pkgsrc.txt
@@ -134,4 +135,4 @@ HHIISSTTOORRYY
September 19, 2000. The original idea came from Roland Dowdeswell and
Bill Sommerfeld.
-NetBSD 2.0.2 June 9, 2005 NetBSD 2.0.2
+NetBSD 3.0 June 9, 2005 NetBSD 3.0
diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8
index fc58ec4ce97..027ddbf4134 100644
--- a/security/audit-packages/files/audit-packages.8
+++ b/security/audit-packages/files/audit-packages.8
@@ -1,4 +1,4 @@
-.\" $NetBSD: audit-packages.8,v 1.14 2005/08/02 00:23:31 reed Exp $
+.\" $NetBSD: audit-packages.8,v 1.15 2005/10/20 10:26:54 agc Exp $
.\"
.\" Copyright (c) 2003 Jeremy C. Reed. All rights reserved.
.\"
@@ -39,7 +39,7 @@
.Nd show vulnerabilities in installed packages
.Sh SYNOPSIS
.Nm
-.Op Fl v
+.Op Fl dv
.Nm download-vulnerability-list
.Sh DESCRIPTION
The
@@ -55,6 +55,11 @@ If the
option is specified,
.Nm
will warn when the vulnerabilities file is more than a week old.
+The
+.Fl d
+option will attempt to download this vulnerabilities
+file before scanning
+the installed packages for vulnerabilities.
.Pp
The
.Nm download-vulnerability-list
diff --git a/security/audit-packages/files/download-vulnerability-list b/security/audit-packages/files/download-vulnerability-list
index 7a2c566e4c2..886c2e0d399 100644
--- a/security/audit-packages/files/download-vulnerability-list
+++ b/security/audit-packages/files/download-vulnerability-list
@@ -1,6 +1,6 @@
#! @SH@
-# $NetBSD: download-vulnerability-list,v 1.26 2005/02/11 16:51:16 agc Exp $
+# $NetBSD: download-vulnerability-list,v 1.27 2005/10/20 10:26:54 agc Exp $
#
# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved.
#
@@ -39,6 +39,7 @@ VUL_SOURCE="ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabiliti
NEW_VUL_LIST=pkg-vulnerabilities.$$
EXIST_VUL_LIST=pkg-vulnerabilities
+# pick up any settings in audit-packages.conf
if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
. @PKG_SYSCONFDIR@/audit-packages.conf
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-24 18:26:43 +0000