.\" $NetBSD: audit-packages.8,v 1.3.2.1 2003/12/30 15:45:01 agc Exp $
.Dd December 3, 2003
.Os
.Dt AUDIT-PACKAGES 8
.Sh NAME
.Nm audit-packages ,
.Nm download-vulnerability-list
.Nd show vulnerabilities in installed packages
.Sh SYNOPSIS
.Nm
.Nm download-vulnerability-list
.Sh DESCRIPTION
The
.Nm
program compares the installed packages with the
.Pa pkg-vulnerabilities
file and reports any known security issues to standard output.
This output contains the name and version of the package, the
type of vulnerability, and an URL for further information for each
vulnerable package.
.Pp
The
.Nm download-vulnerability-list
program downloads this file from
.Pa ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities
using
.Xr @FETCH_CMD_SHORT@ 1 .
This vulnerabilities file documents all known security issues in
pkgsrc packages and is kept up-to-date by the
.Nx
packages team.
.Pp
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information.
Commonly, the types of exploits listed are:
.Bl -bullet -compact -offset indent
.It
cross-site-html
.It
cross-site-scripting
.It
denial-of-service
.It
file-permissions
.It
local-access
.It
local-code-execution
.It
local-file-read
.It
local-file-removal
.It
local-file-write
.It
local-root-file-view
.It
local-root-shell
.It
local-symlink-race
.It
local-user-file-view
.It
local-user-shell
.It
privacy-leak
.It
remote-code-execution
.It
remote-command-inject
.It
remote-file-creation
.It
remote-file-read
.It
remote-file-view
.It
remote-file-write
.It
remote-key-theft
.It
remote-root-access
.It
remote-root-shell
.It
remote-script-inject
.It
remote-server-admin
.It
remote-use-of-secret
.It
remote-user-access
.It
remote-user-file-view
.It
remote-user-shell
.It
unknown
.It
weak-authentication
.It
weak-encryption
.It
weak-ssl-authentication
.El
.Pp
By default, the vulnerabilities file is stored in the
.Pa @PKGVULNDIR@
directory.
This can be changed by defining the environment variable
.Ev PKGVULNDIR
to the directory containing the vulnerabilities file.
.Sh ENVIRONMENT
These variables can also be defined in the
.Pa @PKG_SYSCONFDIR@/audit-packages.conf
file.
.Pp
.Bl -tag -width PKGVULNDIR
.It Ev PKGVULNDIR
Specifies the directory containing the
.Pa pkg-vulnerabilities
file.
.It Ev FETCH_ARGS
Specifies optional arguments for the ftp client.
.El
.Sh FILES
.Pa @PKGVULNDIR@/pkg-vulnerabilities
.Pp
.Pa @PKG_SYSCONFDIR@/audit-packages.conf
.\" .Sh EXAMPLES
.Sh EXAMPLES
The
.Nm download-vulnerability-list
command can be run via
.Xr cron 8
to update the
.Pa pkg-vulnerabilities
file daily.
And
.Nm
can be run via
.Xr cron 8
(or with
.Nx Ns 's
.Pa /etc/security.local
daily security script).
.Pp
The
.Nm download-vulnerability-list
command can be forced to use IPv4 with the following setting in
.Pa @PKG_SYSCONFDIR@/audit-packages.conf :
.Pp
export FETCH_ARGS="-4"
.Sh SEE ALSO
.Xr pkg_info 1 ,
.Xr mk.conf 5 ,
.Xr packages 7 ,
.Pa @PKGSRCDIR@/mk/bsd.pkg.defaults.mk
and
.Rs
.%T "Documentation on the NetBSD Package System"
.Re
.Pa @PKGSRCDIR@/Packages.txt
.Sh HISTORY
The
.Nm
and
.Nm download-vulnerability-list
commands were originally implemented and added to
.Nx Ns 's
pkgsrc by
.An Alistair Crooks
on September 19, 2000.
The original idea came from Roland Dowdeswell and Bill Sommerfeld.
.\" .Sh AUTHORS
.\" .Sh SECURITY CONSIDERATIONS