Re: Machine-readable form for debian security advisories

2004-08-12 Thread Florian Weimer 
* Joshua Goodall:

> I have several hundred debian instances to care for, and they are 
> monitored via Nagios.  I would like to institute a regular test that
> checks each box against a list of security advisories, without
> running apt-get update several times a day on 300 boxes.
>
> Therefore I see a need for a machine readable DSA format.

Have a look at OVAL: 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Machine-readable form for debian security advisories

2004-08-12 Thread Jacques A. Vidrine 
[Lupe dropped from cc: as (I think was) requested]

On Thu, Aug 12, 2004 at 05:25:32PM +1000, Joshua Goodall wrote:
[snip good stuff]
> These nits aside, I can probably use VuXML for my project, even if it
> means extending the DTD. Thanks for pointing it out!

Hi Joshua!

I'm only too happy to evolve VuXML for use by other projects.
If you would be interested, would you kindly post your proposal
to [EMAIL PROTECTED]  It is a public list suitable for
discussing such changes.  Your timing is good, in that I've been busy
for a couple of months and have some free time opening up, and I have
some ideas for a version 1.2 of the DTD also.

Let's see if we can make this a good fit!

Cheers,
-- 
Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Machine-readable form for debian security advisories

2004-08-12 Thread Lupe Christoph 
On Thursday, 2004-08-12 at 17:25:32 +1000, Joshua Goodall wrote:

> As I understand it, VuXML has a slightly different semantic. It 
> expresses that specified binary package versions will have a certain 
> vulnerability and implies they should be deinstalled or upgraded to 
> some version for which the vulnerability does not exist. The DSA series 
> always gives "less than" information and states you must upgrade to the 
> version listed.

I have to confess I only use VuXML and have never look at it closely. If
you find VuXML deficient for use with Debian and wish to extend or
change it, it's probably best if you discuss this with the people who
invented it. I can't comment on your statements and diff. So please
leave me out of the discussion. I'm getting enough mail already ;-)

> These nits aside, I can probably use VuXML for my project, even if it 
> means extending the DTD. Thanks for pointing it out!

That's something I *can* comment on: Glad you found it useful. So I hope
to see VuXML being used for Debian as well in the future.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity|
| Home for Badgers with Rabies.Michael Lucas |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Machine-readable form for debian security advisories

2004-08-12 Thread Joshua Goodall 
On Thu, 12 Aug 2004 03:38 pm, Lupe Christoph wrote:
> On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote:
> > Therefore I see a need for a machine readable DSA format. I know
> > there's a defined format to the current header, but I'd like to
> > expand on that.
> >
> > It will look something like:
>
> Please do not invent yet anoither format if you can avoid it. You
> don't mention VuXML (http://www.vuxml.org/), so I suppose you did not
> know it. Please have a look there.

As I understand it, VuXML has a slightly different semantic. It 
expresses that specified binary package versions will have a certain 
vulnerability and implies they should be deinstalled or upgraded to 
some version for which the vulnerability does not exist. The DSA series 
always gives "less than" information and states you must upgrade to the 
version listed.

VuXML also lacks metadata fields for specifying architecture limitations 
or restriction to different distributions of the system. They are 
required because the Debian security team generally backports fixes and 
thereby creates their own branch of the package. VuXML only 
distinguishes distributions using the  element, which is a 
sibling of the  element. That structure is correct for the 
*BSDs but not for Debian.

e.g. I will probably use an extension of the vocabulary:

--- vuxml-model-11.mod.orig 2004-04-03 01:29:56.0 +1000
+++ vuxml-model-11.mod  2004-08-12 17:21:11.0 +1000
@@ -57,6 +57,8 @@
 
 
 
+
+
 
 
 
@@ -197,6 +199,8 @@
 
 
 

(untested, but you get the idea)

to produce


  
stable
i386
arm
ia64
hppa
m68k
mips
mipsel
s390
sparc
libpng2
1.0.12-3.woody.7
  

or

  
stable
any
libpng2-dev
1.0.12-3.woody.7
  

etc.

These nits aside, I can probably use VuXML for my project, even if it 
means extending the DTD. Thanks for pointing it out!

-- 
Joshua Goodall <[EMAIL PROTECTED]>
Solutions Architect / Principal Security Architect
myinternet Limited.


pgptYMFLgexSN.pgp
Description: signature

Re: Machine-readable form for debian security advisories

2004-08-11 Thread Lupe Christoph 
On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote:

> Therefore I see a need for a machine readable DSA format. I know there's 
> a defined format to the current header, but I'd like to expand on that.

> It will look something like:

Please do not invent yet anoither format if you can avoid it. You don't
mention VuXML (http://www.vuxml.org/), so I suppose you did not know it.
Please have a look there.

Thank you,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity|
| Home for Badgers with Rabies.Michael Lucas |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Machine-readable form for debian security advisories

2004-08-11 Thread Joshua Goodall 
I have several hundred debian instances to care for, and they are 
monitored via Nagios.  I would like to institute a regular test that
checks each box against a list of security advisories, without
running apt-get update several times a day on 300 boxes.

Therefore I see a need for a machine readable DSA format. I know there's 
a defined format to the current header, but I'd like to expand on that.

It will look something like:

DSA: 536-1
Title: New libpng, libpng3 packages fix multiple vulnerabilities
Date: 20040804
Upgrade-required: simple
Vulnerability: several
Problem-Type: local/remote
Debian-specific: no
CVE-Ids: CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-0768

Package: libpng
Distribution: stable
Architecture: any
Binary: libpng2-dev, libpng2
Version: 1.0.12-3.woody.7

Package: libpng3
Distribution: stable
Architecture: any
Binary: libpng-dev, libpng3
Version: 1.2.1-1.1.woody.7

This can be easily distributed, parsed and compared to the package 
status database to determine which installed packages must be upgraded, 
and can raise an alert if required.

I can script the generation of a MR-DSA from existing data, especially 
the DSA itself. Before I do: has anyone already done anything like this 
with DSAs, and would anyone be interested in using the resulting 
mechanism?

Joshua.

-- 
Joshua Goodall <[EMAIL PROTECTED]>
Solutions Architect / Principal Security Architect
myinternet Limited.




pgpD9vIwzT60X.pgp
Description: signature