1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8)
N�NA�AM�ME�E
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s, d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t -- show vulnerabilities in
installed packages
S�SY�YN�NO�OP�PS�SI�IS�S
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s [-�-d�dv�v] [-�-K�K _�p_�k_�g_�__�d_�b_�d_�i_�r] [-�-p�p _�p_�a_�c_�k_�a_�g_�e]
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s program compares the installed packages with the
_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file and reports any known security issues to stan-
dard output. This output contains the name and version of the package,
the type of vulnerability, and an URL for further information for each
vulnerable package.
The following flags are supported:
-�-d�d a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s will attempt to download the vulnerabilities
file before scanning the installed packages for vulnerabil-
ities.
-�-K�K _�p_�k_�g_�__�d_�b_�d_�i_�r Use package database directory _�p_�k_�g_�__�d_�b_�d_�i_�r.
-�-p�p _�p_�a_�c_�k_�a_�g_�e Check only the package _�p_�a_�c_�k_�a_�g_�e for vulnerabilities.
-�-v�v Set verbose mode. a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s will warn when the vul-
nerabilities file is more than a week old.
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t program downloads this file from
_�f_�t_�p_�:_�/_�/_�f_�t_�p_�._�N_�e_�t_�B_�S_�D_�._�o_�r_�g_�/_�p_�u_�b_�/_�N_�e_�t_�B_�S_�D_�/_�p_�a_�c_�k_�a_�g_�e_�s_�/_�d_�i_�s_�t_�f_�i_�l_�e_�s_�/_�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s
using @FETCH_CMD_SHORT@(1). This vulnerabilities file documents all
known security issues in pkgsrc packages and is kept up-to-date by the
NetBSD pkgsrc-security team.
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information:
<package pattern> <type> <url>
The type of exploit can be any text, although some common types of
exploits listed are:
·�· cross-site-html
·�· cross-site-scripting
·�· denial-of-service
·�· file-permissions
·�· local-access
·�· local-code-execution
·�· local-file-read
·�· local-file-removal
·�· local-file-write
·�· local-root-file-view
·�· local-root-shell
·�· local-symlink-race
·�· local-user-file-view
·�· local-user-shell
·�· privacy-leak
·�· remote-code-execution
·�· remote-command-inject
·�· remote-file-creation
·�· remote-file-read
·�· remote-file-view
·�· remote-file-write
·�· remote-key-theft
·�· remote-root-access
·�· remote-root-shell
·�· remote-script-inject
·�· remote-server-admin
·�· remote-use-of-secret
·�· remote-user-access
·�· remote-user-file-view
·�· remote-user-shell
·�· unknown
·�· weak-authentication
·�· weak-encryption
·�· weak-ssl-authentication
By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
tory. This can be changed by defining the environment variable
PKGVULNDIR to the directory containing the vulnerabilities file.
E�EX�XI�IT�T S�ST�TA�AT�TU�US�S
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s utility exits 0 on success, and >0 if an error occurs.
E�EN�NV�VI�IR�RO�ON�NM�ME�EN�NT�T
These variables can also be defined in the @PKG_SYSCONFDIR@/audit-pack-
ages.conf file.
PKGVULNDIR Specifies the directory containing the _�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s
file.
FETCH_ARGS Specifies optional arguments for the ftp client.
F�FI�IL�LE�ES�S
@PKGVULNDIR@/pkg-vulnerabilities
@PKG_SYSCONFDIR@/audit-packages.conf
E�EX�XA�AM�MP�PL�LE�ES�S
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t command can be run via cron(8) to update
the _�p_�k_�g_�-_�v_�u_�l_�n_�e_�r_�a_�b_�i_�l_�i_�t_�i_�e_�s file daily. And a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s can be run via
cron(8) (or with NetBSD's _�/_�e_�t_�c_�/_�s_�e_�c_�u_�r_�i_�t_�y_�._�l_�o_�c_�a_�l daily security script).
The d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t command can be forced to use IPv4 with
the following setting in @PKG_SYSCONFDIR@/audit-packages.conf :
export FETCH_ARGS="-4"
D�DI�IA�AG�GN�NO�OS�ST�TI�IC�CS�S
The following errors can occur:
Checksum mismatch
The vulnerabilities file is corrupted. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
Missing vulnerabilities file
The vulnerabilities file could not be found. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No checksum algorithm found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No checksum found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
No file format version found
The vulnerabilities file is too old or incomplete. Run
d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t.
Unsupported file format version
The vulnerabilities file is too old or too new. If it's too
old, run d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t. If it's too new,
update the _�s_�e_�c_�u_�r_�i_�t_�y_�/_�a_�u_�d_�i_�t_�-_�p_�a_�c_�k_�a_�g_�e_�s package.
Installed pkg_info too old
a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s requires a newer version of pkg_info(1).
Update the _�p_�k_�g_�t_�o_�o_�l_�s_�/_�p_�k_�g_�__�i_�n_�s_�t_�a_�l_�l package.
S�SE�EE�E A�AL�LS�SO�O
pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/defaults/mk.conf and
_�D_�o_�c_�u_�m_�e_�n_�t_�a_�t_�i_�o_�n _�o_�n _�t_�h_�e _�N_�e_�t_�B_�S_�D _�P_�a_�c_�k_�a_�g_�e _�S_�y_�s_�t_�e_�m. @PKGSRCDIR@/doc/pkgsrc.txt
H�HI�IS�ST�TO�OR�RY�Y
The a�au�ud�di�it�t-�-p�pa�ac�ck�ka�ag�ge�es�s and d�do�ow�wn�nl�lo�oa�ad�d-�-v�vu�ul�ln�ne�er�ra�ab�bi�il�li�it�ty�y-�-l�li�is�st�t commands were origi-
nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
September 19, 2000. The original idea came from Roland Dowdeswell and
Bill Sommerfeld.
NetBSD 3.0 April 15, 2006 NetBSD 3.0
|
