1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8)
NNAAMMEE
aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in
installed packages
SSYYNNOOPPSSIISS
aauuddiitt--ppaacckkaaggeess [--vv]
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt
DDEESSCCRRIIPPTTIIOONN
The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the
_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan-
dard output. This output contains the name and version of the package,
the type of vulnerability, and an URL for further information for each
vulnerable package. If the --vv option is specified, aauuddiitt--ppaacckkaaggeess will
warn when the vulnerabilities file is more than a week old.
The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads this file from
_f_t_p_:_/_/_f_t_p_._N_e_t_B_S_D_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_p_a_c_k_a_g_e_s_/_d_i_s_t_f_i_l_e_s_/_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
using @FETCH_CMD_SHORT@(1). This vulnerabilities file documents all
known security issues in pkgsrc packages and is kept up-to-date by the
NetBSD packages team.
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information. The type of exploit can
be any text, although some common types of exploits listed are:
oo cross-site-html
oo cross-site-scripting
oo denial-of-service
oo file-permissions
oo local-access
oo local-code-execution
oo local-file-read
oo local-file-removal
oo local-file-write
oo local-root-file-view
oo local-root-shell
oo local-symlink-race
oo local-user-file-view
oo local-user-shell
oo privacy-leak
oo remote-code-execution
oo remote-command-inject
oo remote-file-creation
oo remote-file-read
oo remote-file-view
oo remote-file-write
oo remote-key-theft
oo remote-root-access
oo remote-root-shell
oo remote-script-inject
oo remote-server-admin
oo remote-use-of-secret
oo remote-user-access
oo remote-user-file-view
oo remote-user-shell
oo unknown
oo weak-authentication
oo weak-encryption
oo weak-ssl-authentication
By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
tory. This can be changed by defining the environment variable
PKGVULNDIR to the directory containing the vulnerabilities file.
EENNVVIIRROONNMMEENNTT
These variables can also be defined in the @PKG_SYSCONFDIR@/audit-pack-
ages.conf file.
PKGVULNDIR Specifies the directory containing the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
file.
FETCH_ARGS Specifies optional arguments for the ftp client.
FFIILLEESS
@PKGVULNDIR@/pkg-vulnerabilities
@PKG_SYSCONFDIR@/audit-packages.conf
EEXXAAMMPPLLEESS
The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update
the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. And aauuddiitt--ppaacckkaaggeess can be run via
cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script).
The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with
the following setting in @PKG_SYSCONFDIR@/audit-packages.conf :
export FETCH_ARGS="-4"
DDIIAAGGNNOOSSTTIICCSS
The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs.
The following errors can occur:
Checksum mismatch
The vulnerabilities file is corrupted. Run
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
Missing vulnerabilities file
The vulnerabilities file could not be found. Run
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
No checksum algorithm found
The vulnerabilities file is too old or incomplete. Run
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
No checksum found
The vulnerabilities file is too old or incomplete. Run
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
No file format version found
The vulnerabilities file is too old or incomplete. Run
ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
Unsupported file format version
The vulnerabilities file is too old or too new. If it's too
old, run ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. If it's too new,
update the _s_e_c_u_r_i_t_y_/_a_u_d_i_t_-_p_a_c_k_a_g_e_s package.
Installed pkg_info too old
aauuddiitt--ppaacckkaaggeess requires a newer version of pkg_info(1).
Update the _p_k_g_t_o_o_l_s_/_p_k_g___i_n_s_t_a_l_l package.
SSEEEE AALLSSOO
pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/bsd.pkg.defaults.mk
and
_D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m. @PKGSRCDIR@/doc/pkgsrc.txt
HHIISSTTOORRYY
The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi-
nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
September 19, 2000. The original idea came from Roland Dowdeswell and
Bill Sommerfeld.
NetBSD 2.0.2 June 9, 2005 NetBSD 2.0.2
|