diff options
Diffstat (limited to 'pkgtools')
-rw-r--r-- | pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in | 171 |
1 files changed, 89 insertions, 82 deletions
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in index b0473d8c40c..2f0bacc0e09 100644 --- a/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in @@ -19,49 +19,51 @@ DDEESSCCRRIIPPTTIIOONN The following flags are supported: - --dd Attempt to download the vulnerabilities file using the - _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t script before scanning the - installed packages for vulnerabilities. + --cc _c_o_n_f_i_g___f_i_l_e Specify a custom _c_o_n_f_i_g___f_i_l_e configuration file to use. - --ee Check for end-of-life (eol) packages. + --dd Attempt to download the vulnerabilities file using the + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt script before scanning the + installed packages for vulnerabilities. - --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s - file. The key used to sign the file is available from: - _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + --ee Check for end-of-life (eol) packages. - In order for this to function correctly the above key must - be added to the gpg keyring of the user who runs - _a_u_d_i_t_-_p_a_c_k_a_g_e_s _-_s and/or _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t _-_s. - In addition to this the gpg binary must be installed on - your system. The path to the gpg binary can be set in - audit-packages.conf(5). + --gg _f_i_l_e Compute the SHA512 hash on _f_i_l_e. - The requirement for GnuPG may go away in the future when a - suitable replacement is implemented. + --hh _f_i_l_e Check the SHA512 hash of a _f_i_l_e against the internally + stored value. - --VV Display the version number and exit. + --KK _p_k_g___d_b_d_i_r Use package database directory _p_k_g___d_b_d_i_r. - --vv Be more verbose. Specify multiple -v flags to increase ver- - bosity. Currently a maximum level of three is supported. + --nn _p_a_c_k_a_g_e Check only the package _p_a_c_k_a_g_e for vulnerabilities. - --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + --pp _p_a_c_k_a_g_e Check only the installed package _p_a_c_k_a_g_e for vulnera- + bilities. - --gg _f_i_l_e Compute the SHA512 hash on _f_i_l_e. + --QQ _v_a_r_n_a_m_e Display the current value of _v_a_r_n_a_m_e and exit. Cur- + rently supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR, and + IGNORE_URLS. - --hh _f_i_l_e Check the SHA512 hash of a _f_i_l_e against the internally - stored value. + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. The key used to sign the file is available from: + _f_t_p_:_/_/_f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c - --KK _p_k_g___d_b_d_i_r Use package database directory _p_k_g___d_b_d_i_r. + In order for this to function correctly the above key + must be added to the gpg keyring of the user who runs + aauuddiitt--ppaacckkaaggeess --ss and/or ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt + --ss. In addition to this the gpg binary must be + installed on your system. The path to the gpg binary + can be set in audit-packages.conf(5). - --nn _p_a_c_k_a_g_e Check only the package _p_a_c_k_a_g_e for vulnerabilities. + The requirement for GnuPG may go away in the future + when a suitable replacement is implemented. - --pp _p_a_c_k_a_g_e Check only the installed package _p_a_c_k_a_g_e for vulnerabili- - ties. + --tt _t_y_p_e Only check for the specified _t_y_p_e of vulnerability. - --QQ _v_a_r_n_a_m_e Display the current value of _v_a_r_n_a_m_e and exit. Currently - supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR and IGNORE_URLS. + --VV Display the version number and exit. - --tt _t_y_p_e Only check for the specified _t_y_p_e of vulnerability. + --vv Be more verbose. Specify multiple --vv flags to increase + verbosity. Currently a maximum level of three is sup- + ported. The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file from _f_t_p_._N_e_t_B_S_D_._o_r_g using ftp(1) by default. This vulnerabilities @@ -70,18 +72,18 @@ DDEESSCCRRIIPPTTIIOONN The following flags are supported: - --hh Display program usage. + --cc _c_o_n_f_i_g___f_i_l_e Specify a custom _c_o_n_f_i_g___f_i_l_e configuration file to use. - --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s - file. In order for this to function correctly you will - need to add the pkgsrc Security Team key to your gpg - keyring and trust it. The key is available from: - _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c - In addition to this the gpg binary must be installed on - your system. The path to the gpg binary can be set in - audit-packages.conf(5). + --hh Display program usage. - --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. In order for this to function correctly you will + need to add the pkgsrc Security Team key to your gpg + keyring and trust it. The key is available from: + _f_t_p_:_/_/_f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + In addition to this the gpg binary must be installed on + your system. The path to the gpg binary can be set in + audit-packages.conf(5). By default ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt will download a compressed version of _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s from ftp.netbsd.org. The default file downloaded @@ -96,65 +98,69 @@ DDEESSCCRRIIPPTTIIOONN The type of exploit can be any text, although some common types of exploits listed are: - ·· cross-site-html - ·· cross-site-scripting - ·· denial-of-service - ·· eol - ·· file-permissions - ·· local-access - ·· local-code-execution - ·· local-file-read - ·· local-file-removal - ·· local-file-write - ·· local-root-file-view - ·· local-root-shell - ·· local-symlink-race - ·· local-user-file-view - ·· local-user-shell - ·· privacy-leak - ·· remote-code-execution - ·· remote-command-inject - ·· remote-file-creation - ·· remote-file-read - ·· remote-file-view - ·· remote-file-write - ·· remote-key-theft - ·· remote-root-access - ·· remote-root-shell - ·· remote-script-inject - ·· remote-server-admin - ·· remote-use-of-secret - ·· remote-user-access - ·· remote-user-file-view - ·· remote-user-shell - ·· unknown - ·· weak-authentication - ·· weak-encryption - ·· weak-ssl-authentication + ++oo cross-site-html + ++oo cross-site-scripting + ++oo denial-of-service + ++oo eol + ++oo file-permissions + ++oo local-access + ++oo local-code-execution + ++oo local-file-read + ++oo local-file-removal + ++oo local-file-write + ++oo local-root-file-view + ++oo local-root-shell + ++oo local-symlink-race + ++oo local-user-file-view + ++oo local-user-shell + ++oo privacy-leak + ++oo remote-code-execution + ++oo remote-command-inject + ++oo remote-file-creation + ++oo remote-file-read + ++oo remote-file-view + ++oo remote-file-write + ++oo remote-key-theft + ++oo remote-root-access + ++oo remote-root-shell + ++oo remote-script-inject + ++oo remote-server-admin + ++oo remote-use-of-secret + ++oo remote-user-access + ++oo remote-user-file-view + ++oo remote-user-shell + ++oo unknown + ++oo weak-authentication + ++oo weak-encryption + ++oo weak-ssl-authentication The type _e_o_l implies that the package is no longer maintained by the software vendor but is provided by the pkgsrc team for your convenience only. It may contain any number of the above mentioned vulnerabilities. - Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess + Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess --ee to also report on eol packages. By default, the vulnerabilities file is stored in the PKG_DBDIR direc- tory. On a standard installation this will be set to @pkgdbdir@. If you have installed pkgsrc on a supported platform this will be what ever you - specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>. The path + specifed when bootstrapping pkgsrc i.e., ----ppkkggddbbddiirr <_p_k_g_d_b_d_i_r>. The path to the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file can be set in audit-packages.conf(5). EEXXIITT SSTTAATTUUSS The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs. FFIILLEESS - @pkgdbdir@/pkg-vulnerabilities + @pkgdbdir@/pkg-vulnerabilities Vulnerabilities database. - @sysconfdir@/audit-packages.conf + @sysconfdir@/audit-packages.conf aauuddiitt--ppaacckkaaggeess configuration file. + + ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc + Key used to sign the vulnerabilities + file. EEXXAAMMPPLLEESS The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update - the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. And aauuddiitt--ppaacckkaaggeess can be run via + the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. aauuddiitt--ppaacckkaaggeess can be run via cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script). The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with @@ -169,8 +175,9 @@ EEXXAAMMPPLLEESS FETCH_PROTO="http" SSEEEE AALLSSOO - pkg_info(1), audit-packages.conf(5), mk.conf(5), pkgsrc(7), _D_o_c_u_m_e_n_t_a_t_i_o_n - _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m + pkg_info(1), audit-packages.conf(5), mk.conf(5), pkgsrc(7), + + _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m. HHIISSTTOORRYY The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi- @@ -180,4 +187,4 @@ HHIISSTTOORRYY signatures on downloaded files. The original idea came from Roland Dowdeswell and Bill Sommerfeld. -NetBSD 4.0 July 07, 2007 NetBSD 4.0 +NetBSD 4.0 August 10, 2007 NetBSD 4.0 |