plug] installed package vulnerability checker for Red Hat/Centos?

Jeremy C. Reed reed at reedmedia.net
Thu Sep 21 15:29:23 MST 2006


> On Thu, 21 Sep 2006, Jeremy C. Reed wrote:
> 
> > Does anyone know of a tool for checking if installed packages on a CentOS
> > system have known vulnerabilities?
> 
> If you are current in updates, the default centos install all have yum configs
> which apply all security related updates for supported repositories
> automatically -- run yum; reboot if the glibc, the kernel, libraries or other
> 'key' packages are updated.  all done.  running:
> 	rpm -q --changelog packagename usually mentions the CVE, etc numbers
> addressed, if you wish to tick off that they are addressed.
> 
> There is NO substitute to having and reading a subscription to the
> centos-announce mailing list, which carries all notifications, in a convenient
> (to procmail) parsable form; a subscription to the upstream's security
> announcement mailing lists for your major release level is also a good idea.
> 
> Our worst case lags since project inception, have been less than 3 days after
> the upstream, as to security updates.

Thank you for the reply.

My original message also said:

I know yum can be used to indicate if updates are available.

But I am looking for something like NetBSD Pkgsrc's audit-packages or 
FreeBSD's portaudit -- list name and version of installed package and an 
item and/or URL about the vulnerability. For example:

 Package xzgv-0.8.0.1nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060

Has anyone scripted around yum and rpm to output known vulnerabilities to 
currently installed packages?

I do not want to manually check installed packages for many systems or 
parse email messages or parse rpm output to figure out if installed 
packages have known (known to Red Hat) security issues.

If this does not exist, I would be interested in coding this, but do not 
want to recreate the wheel.

I simply want to do:

- download datafile of package patterns with vulnerabilities identifiers 
or URLs (for security issue details).

- check my list of installed packages against the previously downloaded 
patterns -- and output the vulnerabilities/URLs for the matched packages.

(As found on other operating systems. And I am assuming would be useful 
to others.)

You gave me some clues above so I can look further, but if you or anyone 
else has other hints, please let me know.

Thanks again!


More information about the PLUG-discuss mailing list