On Thu Sep 25, 2003 at 11:16:24PM -0500, Vox wrote: > > I guess my point was missed. We don't want to perform queries. > > Unless the PHP or HTML Page we pull up from MandrakeSecure Queries the > > Data to sort it and correlate the CVEs and the MDKSAs (and RPM names). > > This is what the Management Teams want to see, one page (maybe more), > > of Vulnerabilities to Updates. Thus while you're going through the > > chart of vulnerabilities, we can EASILY Correlate one page to the > > report. Do you really want all of us querying the CVEs for each > > server?? > > > > Apologies if you thought that I was hollering, as I wasn't. Just > > thinking aloud to stress a point. We work with Mandrake and Nessus to > > make the Security Issues disappear. Making it easier to perform our > > duties benefits all of us. > > Uhm...well, I just went to mdksecure and did a search on no item on > the CVE search field (just put cursor in it and hit Go button). I > see the CVE number, MDKSA number and description of the > problem. Since I do keep everything up to date in all boxes I admin, > I use that table for "ok, said item is fixed, so I'm well"...but
Cool... I didn't even know it did that. =) > maybe Vincent could be convinced (if he has the time, which I know > is usually the biggest problem for him) to add the full rpm name for > at least the last normal distro (9.1 as of today) and probably the 2 > corporate servers (MNF8.2 and CS2.1 as of today) to that list. Or > just add a page which displays the same thing as the blank search > plus the rpm names for all currently supported distros. I don't know > the internals of the database he's got with the advisories, so I > can't say how easy or hard this can be. That would be problematic. The database contains the info that appears in the advisories, so the rpm listing is a text field that contains the path in the updates tree as well as the md5sum. Creating the kind of table you want from that is going to be problematic and intense... besides, something like that should be relatively static anyways. And what do we do in the case of XFree86 when there's over half a dozen packages? Which package do we list? I'm all for making things useful, but there has to be a reason for me to spend the time other than one or two people asking. I mean, I need to prioritize stuff. And considering you can get the entire list of CVE's using the method you just mentioned, how difficult is it to hit CTRL-F in your browser, search for your CVE name(s) and then click on the advisory link to see the package listing? I can't imagine it to be too difficult. I'm all for usefulness, but for me to spend so much time on something because a few people are too lazy to click on a link is just ridiculous. Not to say it wouldn't be nice to have, but I'd put this *way* down on my priority list. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
