installed package vulnerability checker for Red Hat/Centos?
Craig White
craigwhite at azapple.com
Fri Sep 22 22:40:59 MST 2006
On Fri, 2006-09-22 at 17:57 -0700, der.hans wrote:
> Am 21. Sep, 2006 schwätzte Jeremy C. Reed so:
>
> > Does anyone know of a tool for checking if installed packages on a CentOS
> > system have known vulnerabilities?
>
> Not quite what you want, but the closest I know of for GNU/Linux
> distros...
>
> debian and Ubuntu have their package list files up for the package
> managers. They also make the changelogs available, so you can see what
> was changed in a package before downloading it.
>
> The update manager in Ubuntu 6.0.6 allows you to show details and get the
> changelog as part of the upgrade.
>
> I don't know if RH has a similar mechanism for pulling up changelogs.
>
> You can check for packages that have fixes for security problems by only
> having the security feed available for upgrade, but that's still not quite
> what you want, I think.
----
I've been staying out of this because I'm not sure of where this is
headed.
Red Hat / CentOS packaging changelogs can be inspected by doing things
like
(remote packages)
rpm -qp --changelog \
ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-22.EL.src.rpm
(installed packages)
rpm -q --changelog httpd
and of course you could grep the output for specific advisories...
# rpm -q --changelog httpd | grep CVE-2005-2700
- mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700)
or you could probably dump all the changelogs of all installed packages
into a text file and grep away...
rpm -qa --changelog > /tmp/changelogs.txt
so I'm not really sure that is everything Jeremy was looking for but
certainly an answer to Hans' doubt.
Craig
More information about the PLUG-discuss
mailing list