1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
AUDIT-PACKAGES(8) BSD System Manager's Manual AUDIT-PACKAGES(8)
N�NA�AM�ME�E
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s, d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t -- show vulnerabilities in
installed packages
S�SY�YN�NO�OP�PS�SI�IS�S
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s [-�-d�dv�v] [-�-K�K _�p_�k_�g_�__�d_�b_�d_�i_�r] [-�-p�p _�p_�a_�c_�k_�a_�g_�e]
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s program compares the installed packages with the
_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file and reports any known security issues to stan-
dard output. This output contains the name and version of the package,
the type of vulnerability, and an URL for further information for each
vulnerable package.
The following flags are supported:
-�-d�d a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s will attempt to download the vulnerabilities
file before scanning the installed packages for vulnerabil-
ities.
-�-K�K _�p_�k_�g_�__�d_�b_�d_�i_�r Use package database directory _�p_�k_�g_�__�d_�b_�d_�i_�r.
-�-p�p _�p_�a_�c_�k_�a_�g_�e Check only the package _�p_�a_�c_�k_�a_�g_�e for vulnerabilities.
-�-v�v Set verbose mode. a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s will warn when the vul-
nerabilities file is more than a week old.
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t program downloads this file from
_�f_�t_�p_�:_�/_�/_�f_�t_�p_�._�N_�e_�t_�B_�S_�D_�._�o_�r_�g_�/_�p_�u_�b_�/_�N_�e_�t_�B_�S_�D_�/_�p_�a_�c_�k_�a_�g_�e_�s_�/_�d_�i_�s_�t_�f_�i_�l_�e_�s_�/_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s
using @FETCH_CMD_SHORT@(1). This vulnerabilities file documents all
known security issues in pkgsrc packages and is kept up-to-date by the
NetBSD pkgsrc-security team.
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information:
<package pattern> <type> <url>
The type of exploit can be any text, although some common types of
exploits listed are:
+�+�o�o cross-site-html
+�+�o�o cross-site-scripting
+�+�o�o denial-of-service
+�+�o�o file-permissions
+�+�o�o local-access
+�+�o�o local-code-execution
+�+�o�o local-file-read
+�+�o�o local-file-removal
+�+�o�o local-file-write
+�+�o�o local-root-file-view
+�+�o�o local-root-shell
+�+�o�o local-symlink-race
+�+�o�o local-user-file-view
+�+�o�o local-user-shell
+�+�o�o privacy-leak
+�+�o�o remote-code-execution
+�+�o�o remote-command-inject
+�+�o�o remote-file-creation
+�+�o�o remote-file-read
+�+�o�o remote-file-view
+�+�o�o remote-file-write
+�+�o�o remote-key-theft
+�+�o�o remote-root-access
+�+�o�o remote-root-shell
+�+�o�o remote-script-inject
+�+�o�o remote-server-admin
+�+�o�o remote-use-of-secret
+�+�o�o remote-user-access
+�+�o�o remote-user-file-view
+�+�o�o remote-user-shell
+�+�o�o unknown
+�+�o�o weak-authentication
+�+�o�o weak-encryption
+�+�o�o weak-ssl-authentication
By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
tory. This can be changed by defining the environment variable
PKGVULNDIR to the directory containing the vulnerabilities file.
If a URL is specified in IGNORE_URLS then all entries listed in
_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s that match that URL will not be reported when
_�a_�u_�d_�i_�t_�-_�p_�a_�c_�k_�a_�g_�e_�s is run. Running _�a_�u_�d_�i_�t_�-_�p_�a_�c_�k_�a_�g_�e_�s -v will display the
details of all entries skipped if IGNORE_URLS is set.
E�EX�XI�IT�T S�ST�TA�AT�TU�US�S
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s utility exits 0 on success, and >0 if an error occurs.
E�EN�NV�VI�IR�RO�ON�NM�ME�EN�NT�T
These variables can also be defined in the @PKG_SYSCONFDIR@/audit-pack-
ages.conf file.
PKGVULNDIR Specifies the directory containing the _�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s
file.
FETCH_ARGS Specifies optional arguments for the ftp client.
FETCH_PROTO
Specifies the protocol to use when fetching the
_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file. Currently supports only http and
ftp. The default is ftp.
IGNORE_URLS
A list of vulnerability URLs to be ignored. This allows for
ignoring certain URLs that are attached to a vulnerability.
F�FI�IL�LE�ES�S
@PKGVULNDIR@/pkg-vulnerabilities
@PKG_SYSCONFDIR@/audit-packages.conf
E�EX�XA�AM�MP�PL�LE�ES�S
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t command can be run via cron(8) to update
the _�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file daily. And a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s can be run via
cron(8) (or with NetBSD's _�/_�e_�t_�c_�/_�s_�e_�c_�u_�r_�i_�t_�y_�._�l_�o_�c_�a_�l daily security script).
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t command can be forced to use IPv4 with
the following setting in @PKG_SYSCONFDIR@/audit-packages.conf :
export FETCH_ARGS="-4"
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t command can be forced to use http to
download the _�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file with the following setting in
@PKG_SYSCONFDIR@/audit-packages.conf :
export FETCH_PROTO="http"
D�DI�IA�AG�GN�NO�OS�ST�TI�IC�CS�S
The following errors can occur:
Checksum mismatch
The vulnerabilities file is corrupted. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
Missing vulnerabilities file
The vulnerabilities file could not be found. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No checksum algorithm found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No checksum found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No file format version found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
Unsupported file format version
The vulnerabilities file is too old or too new. If it's too
old, run d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t. If it's too new,
update the _�s_�e_�c_�u_�r_�i_�t_�y_�/_�a_�u_�d_�i_�t_�-_�p_�a_�c_�k_�a_�g_�e_�s package.
Installed pkg_info too old
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s requires a newer version of pkg_info(1).
Update the _�p_�k_�g_�t_�o_�o_�l_�s_�/_�p_�k_�g_�__�i_�n_�s_�t_�a_�l_�l package.
S�SE�EE�E A�AL�LS�SO�O
pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/defaults/mk.conf and
_�D_�o_�c_�u_�m_�e_�n_�t_�a_�t_�i_�o_�n _�o_�n _�t_�h_�e _�N_�e_�t_�B_�S_�D _�P_�a_�c_�k_�a_�g_�e _�S_�y_�s_�t_�e_�m. @PKGSRCDIR@/doc/pkgsrc.txt
H�HI�IS�ST�TO�OR�RY�Y
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s and d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t commands were origi-
nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
September 19, 2000. The original idea came from Roland Dowdeswell and
Bill Sommerfeld.
BSD April 15, 2006 BSD
|
