| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
in PR 25654 from Hauke Fath.
Take any non-standard values from audit-packages.conf file in
audit-packages as well as download-vulnerability-list.
Fix the pre-formatted documentation so that filenames to be
substituted are not formatted with the bold or underline "overstrikes"
on ttys, so that the correct sed substitutions take place at package
install time.
|
|
audit-packages version is now 1.31.
|
|
failed completely. Welcome to 1.30.
|
|
only regen on SunOS or AIX - the pre-generated pages _are_ mandoc type
pages, so we can use them on more platforms than just Irix.
|
|
regular
|
|
under IRIX. Other OS regen the catman page.
This addresses PR pkg/23452.
Since just depending on textproc/groff would pull in a large number of
packages (such as perl, ghostscript, tiff etc.), and since this is a very
important package that should NOT depend on all this gunk, Jeremy C. Reed
suggested this solution.
Ok agc.
|
|
supporting using the FreeBSD "fetch" command to get the vulnerabilities
list. Patch provided in PR 24371 by Michal Pasternak.
|
|
|
|
Define NO_BUILDLINK to signify this to bsd.pkg.mk.
|
|
|
|
By popular demand, add a -v switch to audit-packages(8) which enables the
check for a package vulnerabilities file being unchanged for over 7 days.
To enable the check, -v must be specified on the command line:
% audit-packages
% audit-packages -v
*** WARNING - /usr/distfiles/pkg-vulnerabilities more than a week old, continuing...
%
|
|
|
|
|
|
Difference from previous version (1.26):
+ if the vulnerability list is older than a week, just display a warning
message - don't consider this a fatal error.
|
|
Added support for audit-packages.conf. This file can be used
to define environment variables (e.g. FETCH_ARGS).
|
|
+ get rid of unnecessary awk invocation in audit-packages, use shell
construction instead, pointed out by enami tsugutomo. Cuts system and
user execution times for audit-packages in half.
+ add (4-clause) licences to audit-packages and download-vulnerability-list
+ check integrity of pkg-vulnerabilities file in audit-packages by using
the same construct as in download-vulnerability-list
+ CSE in error checking in audit-packages
+ properly terminate a case expression in download-vulnerability-list
|
|
Simplify quoting syntax in the awk command, so that gawk-3.1.3 (as found in
NetBSD-current) doesn't have a problem with a malformed escape sequence.
With thanks to Johnny Lam for testing with an older version of gawk.
|
|
Use the first word of ${FETCH_CMD} to determine which utility is used.
Addresses PR 22760 from Todd Vierling.
|
|
Make an informational message clearer.
|
|
download-vulnerability-list(8) now needs digest(1).
Hence put digest package as a runtime dependency of audit-packages
package.
|
|
Support wget and curl as FETCH_CMDs, as discussed in PR 19103.
|
|
"audit-packages" script. Bump package version again.
|
|
Changes from previous version:
+ rely on an embedded sha1 digest to tell whether the vulnerabilities
file has been damaged in transit or received successfully, rather than
trusting that the file will not grow smaller
+ use the new filename "pkg-vulnerabilities"
+ use definitions from defs.${OPSYS}.mk in the download-vulnerability-list
script
+ at installation time, don't rely on "ln -sf" to DTRT - explicitly call
"rm -f" before attempting the symbolc link
With thanks to seb@ for testing.
|
|
Instead of using the number of bytes to determine whether or not the
file has shrunk, use the number of lines. This will allow for
spelling corrections, login name of committers being shorter than
others, etc. This is a temporary measure until a better distribution
mechanism is used. Suggested by David Brownlee.
|
|
|
|
|
|
It broke installation of audit-packages as the first package in the system.
Okayed by Alistair.
|
|
|
|
Bump to 1.16.
|
|
The directory ${PKGVULNDIR)} holding the 'vulnerabilities' file
which default value is determined at configure time can now be
overridden at runtime from the environment.
As a side effect the strings substituted at configure time in
files/{audit-packages,download-vulnerability-list} are now of the
form '@VAR@' and not '${VAR}'.
|
|
store the vulnerabilities file. This variable was already recognized by
audit-packages but not by bsd.pkg.mk which hardcoded DISTDIR.
|
|
|
|
Addresses part of pkg/17368.
Bump to 1.14.
|
|
|
|
the latter is not appropriate. The former defaults to the latter.
Bump version to 1.12. Per discussion with Alistair Crooks.
|
|
Toru TAKAMIZU <ttaka@ma1.seikyou.ne.jp>
|
|
Bump version to 1.11
|
|
Solaris. Bump to 1.10.
|
|
Noted by Kimmo Suominen. Bump to 1.9.
|
|
Fix a problem which occurs if the vulnerability list does not already exist.
This fixes PR 12763 from Brian de Alwis (bsd@cs.ubc.ca), albeit in a
slightly different manner. (I also added a check for the existence of
the new vulnerabilities file, in case it was not downloaded for some
reason).
|
|
Incorporates the following changes from Anne Bennett
(anne@alcor.concordia.ca) in PR 12538:
(1) Running download-vulnerability-list as it stands from cron will
spam the sysadmin with ftp output. Easy to fix: redirect output
to /dev/null as per the example in pkg/MESSAGE. Problem: now
we lose some error messages as well. Patch: make sure error
complaints in that script are spouted to STDERR, not STDOUT.
(3) Minor readability issue: set the source location for the
vulnerability list in a variable at the top of the script.
(4) PR 12457 reported that audit-packages complained spuriously
when the vulnerability list had not been updated in over a
week, and suggested touching it as a solution. This loses
the information of when the file was really last updated.
I'd prefer to always "mv" the new file into place, and use
mtime instead of ctime in the file freshness test.
I did this part of the PR differently, as I was worried about
incomplete vulnerability lists being downloaded, and overwriting an
existing vulnerability list:
(2) ftp failure in download-vulnerability-list is not being detected
properly by the current "${FETCH_CMD} .. || (complain; exit 1)"
test. Patch: test for a non-zero vulnerability file instead.
Don't forget to remove any zero-length droppings, if any.
We know that the vulnerability list size will increase, and not
decrease, so test the size of the newly-downloaded file. If the new
file is smaller than the existing file, then a bad transfer has taken
place - log this fact, and remove the new list.
|
|
Always touch the downloaded vulnerability list, so that the audit-packages
script doesn't moan erroneously.
From Jim Bernard, in PR 12457.
|
|
one - addresses 2nd part of PR 12457, from Jim Bernard.
|
|
existence of ${DISTDIR}, and to create it if it doesn't exist. This
is for machines built with binary packages, which lack pkgsrc, but
this way preserves the location of the vulnerabilities file.
Addresses PR 12367
|
|
|
|
when vulnerability list is not updated for more than a week.
solves PR 11463 (there are other ways to solve this, i'm open to your opinion).
|
|
check if vulnerabilities file is more than a week old, and whine if it is
whine to stderr rather than stdout
|
|
file not present.
|
|
installed packages which are insecure and open to exploitation.
The original idea came from Roland Dowdeswell and Bill Sommerfeld, quite
independently, the unorthodox implementation by me.
This package contains two scripts:
(1) download-vulnerability-list, which downloads a list of vulnerable
packages from the NetBSD ftp server, and
(2) audit-packages, which scans all the packages installed on the
local machine, looking for packages which are vulnerable.
|
