Am 21. Sep, 2006 schwätzte Jeremy C. Reed so:

> Does anyone know of a tool for checking if installed packages on a CentOS
> system have known vulnerabilities?

Not quite what you want, but the closest I know of for GNU/Linux
distros...

debian and Ubuntu have their package list files up for the package
managers. They also make the changelogs available, so you can see what
was changed in a package before downloading it.

The update manager in Ubuntu 6.0.6 allows you to show details and get the
changelog as part of the upgrade.

I don't know if RH has a similar mechanism for pulling up changelogs.

You can check for packages that have fixes for security problems by only
having the security feed available for upgrade, but that's still not quite
what you want, I think.

ciao,

der.hans

>
> I know yum can be used to indicate if updates are available.
>
> But I am looking for something like NetBSD Pkgsrc's audit-packages or
> FreeBSD's portaudit -- list name and version of installed package and an
> item and/or URL about the vulnerability. For example:
>
> Package xzgv-0.8.0.1nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060
>
> Thanks!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

-- 
#  https://www.LuftHans.com/        http://www.CiscoLearning.org/
#  Join the League of Professional System Administrators! https://LOPSA.org/
#  To announce that there must be no criticism of the President, or that we
#  are to stand by the President, right or wrong, is not only unpatriotic
#  and servile, but is morally treasonable to the American public.
#  -- Theodore Roosevelt, editorial in the Kansas City Star, 07May1918