Re: NEW: pkg_check
Hans van Leeuwen wrote: After reading packages-specs(7) I managed to fix the problem. Could you please test this new version? It still works fine for me under macppc. _But_ I do have a question though. pkg_check reports that the following installed packages is affected by a vulnerability: mc-4.6.1p0 According to VuXML, mc4.6.1pre1p0 is affected (2005-02-17). What does it mean ? Is pkg_check wrong or did mc never get fixed in the ports tree ? This not handled by pkg_check. I guess the package management system can't figure out that mc-4.6.1p0 is greater than mc-4.6.1pre1p0. The RFC Marc Espie just posted tackles this problem. Hans
Re: NEW: pkg_check
[EMAIL PROTECTED] wrote: This not handled by pkg_check. I guess the package management system can't figure out that mc-4.6.1p0 is greater than mc-4.6.1pre1p0. The RFC Marc Espie just posted tackles this problem. Well, it defeats the purpose of pkg_check then... Anyway, I hope a better versioning system like espie@ proposed could prevent those kind of problems. Cheers. Antoine
Re: NEW: pkg_check
On Thu, 03 Nov 2005 08:09:22 +0100, Antoine Jacoutot wrote: Quick guess because you need a ports tree. Of course, there was something I overlooked ! On the other hand, cvs remains the 'master', and instead of manually updating a reference site, would it not be better and simpler to refer to the reference(s) given by the 'master' ? Like skimming through the ports tree locally on the master and create a reference directory to check against ? Instead of checking against a third repository updated manually ? This is no criticism of the work of the OP, and the additional information is good as well. For practicalities like a regular check, though, the whichever version is principally enough. Or am I just wrong another time ? Uwe
Re: NEW: pkg_check
Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. Please test the port and the program. First, let me tell you that I am _extremely_ happy to see this program... I might not have to use /usr/ports/infrastructure/build/out-of-date anymore on my boxes which run -release and -stable, this is great. So far, it works as expected under current/macppc: # pkg_check Fetching http://www.vuxml.org/openbsd/vuln.xml... 100% |**| 108 KB00:01 +---+ | mc -- multiple vulnerabilities | +---+ | affected mc-4.6.1p0 | discovery: 2005-02-17 | entry: 2005-02-17 | vid4ccf3184-812c-11d9-b5a5-080020fe8945 | cvenameCAN-2004-1004 | cvenameCAN-2004-1005 | cvenameCAN-2004-1092 | cvenameCAN-2004-1176 +---+ | Midnight Commander contains several format string errors, bufferoverflows | and one buffer underflow leading to execution of arbitrarycode. An | attacker could exploit these vulnerabilities to execute arbitrarycode | with the permissions of the user running Midnight Commander orcause | Denial of Service by freeing unallocated memory. +---+ Thank you for this port, I hope it'll be included. Just one question though, who takes care of the VuXML database for OpenBSD ? I mean, can one trust it or is it totally unofficial ? Antoine
Re: NEW: pkg_check
On Wed, Nov 02, 2005 at 05:54:03PM +0100, Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. Please test the port and the program. How do you decide whether a program is affected? I'm getting the result below, which does not look correct, i.e. I assume 3.1.0 is not affected. How up-to-date is the database you use? The ports team often applies security patches without changing the version number of a package, just bumping it by adding p0 for instance. Is this all taken into account? | affected p5-Mail-SpamAssassin-3.1.0 | | discovery: 2005-06-15 | | entry: 2005-07-10 | .. | Apache SpamAssassin Security Team reports | | Apache SpamAssassin 3.0.4 was recently released, and fixes a denial of| | service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The| | vulnerability allows certain misformatted long message headers to cause | | spam checking to take a very long time. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: NEW: pkg_check
steven mestdagh wrote: On Wed, Nov 02, 2005 at 05:54:03PM +0100, Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. Please test the port and the program. How do you decide whether a program is affected? I'm getting the result below, which does not look correct, i.e. I assume 3.1.0 is not affected. How up-to-date is the database you use? Thanks for your reply. I did not write the code that does the version checking. I used OpenBSD::PkgSpec::match. You can use non-excisting version numbers. Try 'pkg_check squid-1.2.3.4.5p12345' for example. But you are right, p5-Mail-SpamAssassin-3.1.0 should not show up. I will look into it later today. The ports team often applies security patches without changing the version number of a package, just bumping it by adding p0 for instance. Is this all taken into account? Adding pX to the version works. Hans
Re: NEW: pkg_check
Hans van Leeuwen wrote: steven mestdagh wrote: On Wed, Nov 02, 2005 at 05:54:03PM +0100, Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. Please test the port and the program. How do you decide whether a program is affected? I'm getting the result below, which does not look correct, i.e. I assume 3.1.0 is not affected. How up-to-date is the database you use? But you are right, p5-Mail-SpamAssassin-3.1.0 should not show up. I will look into it later today. After reading packages-specs(7) I managed to fix the problem. Could you please test this new version? Hans pkg_check-0.93-port.tgz Description: GNU Unix tar archive
Re: NEW: pkg_check
How do you decide whether a program is affected? I'm getting the result below, which does not look correct, i.e. I assume 3.1.0 is not affected. How up-to-date is the database you use? But you are right, p5-Mail-SpamAssassin-3.1.0 should not show up. I will look into it later today. After reading packages-specs(7) I managed to fix the problem. Could you please test this new version? Works as expected now: No vulnerabilities found. -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: NEW: pkg_check
In message [EMAIL PROTECTED] Hans van Leeuwen [EMAIL PROTECTED] wrote: Hans van Leeuwen wrote: On Wed, Nov 02, 2005 at 05:54:03PM +0100, Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. [snip] After reading packages-specs(7) I managed to fix the problem. Could you please test this new version? Running the 27 Oct snapshot with a fully up to date ports tree including squid-2.5.STABLE12, pkg_check told me about various vulnerabilities affecting earlier versions of squid. -- Andy Wingate URL:http://www.sparse.net OpenPGP key 0xC642BF8A I'm in the middle of a chain reaction.
Re: NEW: pkg_check
Hans van Leeuwen wrote: After reading packages-specs(7) I managed to fix the problem. Could you please test this new version? It still works fine for me under macppc. _But_ I do have a question though. pkg_check reports that the following installed packages is affected by a vulnerability: mc-4.6.1p0 According to VuXML, mc4.6.1pre1p0 is affected (2005-02-17). What does it mean ? Is pkg_check wrong or did mc never get fixed in the ports tree ? Cheers, Antoine
Re: NEW: pkg_check
On Wed, 02 Nov 2005 17:54:03 +0100, Hans van Leeuwen wrote: pkg_check is build on top of OpenBSD's ports-system. It checks a given list of packages for vulnerablities against the VuXML database. If no package is given all installed packages will be checked. This may be a dumb one, but I am curious: Why not check against the package names as they come from cvs ? Uwe
Re: NEW: pkg_check
Uwe Dippel wrote: This may be a dumb one, but I am curious: Why not check against the package names as they come from cvs ? Quick guess because you need a ports tree.