> On Thu, 21 Sep 2006, Jeremy C. Reed wrote: > > > Does anyone know of a tool for checking if installed packages on a CentOS > > system have known vulnerabilities? > > If you are current in updates, the default centos install all have yum configs > which apply all security related updates for supported repositories > automatically -- run yum; reboot if the glibc, the kernel, libraries or other > 'key' packages are updated. all done. running: > rpm -q --changelog packagename usually mentions the CVE, etc numbers > addressed, if you wish to tick off that they are addressed. > > There is NO substitute to having and reading a subscription to the > centos-announce mailing list, which carries all notifications, in a convenient > (to procmail) parsable form; a subscription to the upstream's security > announcement mailing lists for your major release level is also a good idea. > > Our worst case lags since project inception, have been less than 3 days after > the upstream, as to security updates. Thank you for the reply. My original message also said: I know yum can be used to indicate if updates are available. But I am looking for something like NetBSD Pkgsrc's audit-packages or FreeBSD's portaudit -- list name and version of installed package and an item and/or URL about the vulnerability. For example: Package xzgv-0.8.0.1nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060 Has anyone scripted around yum and rpm to output known vulnerabilities to currently installed packages? I do not want to manually check installed packages for many systems or parse email messages or parse rpm output to figure out if installed packages have known (known to Red Hat) security issues. If this does not exist, I would be interested in coding this, but do not want to recreate the wheel. I simply want to do: - download datafile of package patterns with vulnerabilities identifiers or URLs (for security issue details). - check my list of installed packages against the previously downloaded patterns -- and output the vulnerabilities/URLs for the matched packages. (As found on other operating systems. And I am assuming would be useful to others.) You gave me some clues above so I can look further, but if you or anyone else has other hints, please let me know. Thanks again! --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss