AUDIT-PACKAGES(8)       NetBSD System Manager's Manual       AUDIT-PACKAGES(8)

NNAAMMEE
     aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in
     installed packages

SSYYNNOOPPSSIISS
     aauuddiitt--ppaacckkaaggeess [--vv]
     ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt

DDEESSCCRRIIPPTTIIOONN
     The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the
     _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan-
     dard output.  This output contains the name and version of the package,
     the type of vulnerability, and an URL for further information for each
     vulnerable package.  If the --vv option is specified, aauuddiitt--ppaacckkaaggeess will
     warn when the vulnerabilities file is more than a week old.

     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads this file from
     _f_t_p_:_/_/_f_t_p_._N_e_t_B_S_D_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_p_a_c_k_a_g_e_s_/_d_i_s_t_f_i_l_e_s_/_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
     using @FETCH_CMD_SHORT@(1).  This vulnerabilities file documents all
     known security issues in pkgsrc packages and is kept up-to-date by the
     NetBSD packages team.

     Each line lists the package and vulnerable versions, the type of exploit,
     and an Internet address for further information.  The type of exploit can
     be any text, although some common types of exploits listed are:
           ++oo   cross-site-html
           ++oo   cross-site-scripting
           ++oo   denial-of-service
           ++oo   file-permissions
           ++oo   local-access
           ++oo   local-code-execution
           ++oo   local-file-read
           ++oo   local-file-removal
           ++oo   local-file-write
           ++oo   local-root-file-view
           ++oo   local-root-shell
           ++oo   local-symlink-race
           ++oo   local-user-file-view
           ++oo   local-user-shell
           ++oo   privacy-leak
           ++oo   remote-code-execution
           ++oo   remote-command-inject
           ++oo   remote-file-creation
           ++oo   remote-file-read
           ++oo   remote-file-view
           ++oo   remote-file-write
           ++oo   remote-key-theft
           ++oo   remote-root-access
           ++oo   remote-root-shell
           ++oo   remote-script-inject
           ++oo   remote-server-admin
           ++oo   remote-use-of-secret
           ++oo   remote-user-access
           ++oo   remote-user-file-view
           ++oo   remote-user-shell
           ++oo   unknown
           ++oo   weak-authentication
           ++oo   weak-encryption
           ++oo   weak-ssl-authentication

     By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
     tory.  This can be changed by defining the environment variable
     PKGVULNDIR to the directory containing the vulnerabilities file.

EENNVVIIRROONNMMEENNTT
     These variables can also be defined in the @PKG_SYSCONFDIR@/audit-pack-
     ages.conf file.

     PKGVULNDIR  Specifies the directory containing the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
                 file.

     FETCH_ARGS  Specifies optional arguments for the ftp client.

FFIILLEESS
     @PKGVULNDIR@/pkg-vulnerabilities

     @PKG_SYSCONFDIR@/audit-packages.conf

EEXXAAMMPPLLEESS
     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update
     the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily.  And aauuddiitt--ppaacckkaaggeess can be run via
     cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script).

     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with
     the following setting in @PKG_SYSCONFDIR@/audit-packages.conf :

     export FETCH_ARGS="-4"

SSEEEE AALLSSOO
     pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/bsd.pkg.defaults.mk
     and

     _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m.  @PKGSRCDIR@/Packages.txt

HHIISSTTOORRYY
     The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi-
     nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
     September 19, 2000.  The original idea came from Roland Dowdeswell and
     Bill Sommerfeld.

NetBSD 2.0                       May 12, 2004                       NetBSD 2.0