plug] installed package vulnerability checker for Red
Hat/Centos?
Jeremy C. Reed
reed at reedmedia.net
Thu Sep 21 15:29:23 MST 2006
> On Thu, 21 Sep 2006, Jeremy C. Reed wrote:
>
> > Does anyone know of a tool for checking if installed packages on a CentOS
> > system have known vulnerabilities?
>
> If you are current in updates, the default centos install all have yum configs
> which apply all security related updates for supported repositories
> automatically -- run yum; reboot if the glibc, the kernel, libraries or other
> 'key' packages are updated. all done. running:
> rpm -q --changelog packagename usually mentions the CVE, etc numbers
> addressed, if you wish to tick off that they are addressed.
>
> There is NO substitute to having and reading a subscription to the
> centos-announce mailing list, which carries all notifications, in a convenient
> (to procmail) parsable form; a subscription to the upstream's security
> announcement mailing lists for your major release level is also a good idea.
>
> Our worst case lags since project inception, have been less than 3 days after
> the upstream, as to security updates.
Thank you for the reply.
My original message also said:
I know yum can be used to indicate if updates are available.
But I am looking for something like NetBSD Pkgsrc's audit-packages or
FreeBSD's portaudit -- list name and version of installed package and an
item and/or URL about the vulnerability. For example:
Package xzgv-0.8.0.1nb1 has a remote-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060
Has anyone scripted around yum and rpm to output known vulnerabilities to
currently installed packages?
I do not want to manually check installed packages for many systems or
parse email messages or parse rpm output to figure out if installed
packages have known (known to Red Hat) security issues.
If this does not exist, I would be interested in coding this, but do not
want to recreate the wheel.
I simply want to do:
- download datafile of package patterns with vulnerabilities identifiers
or URLs (for security issue details).
- check my list of installed packages against the previously downloaded
patterns -- and output the vulnerabilities/URLs for the matched packages.
(As found on other operating systems. And I am assuming would be useful
to others.)
You gave me some clues above so I can look further, but if you or anyone
else has other hints, please let me know.
Thanks again!
More information about the PLUG-discuss
mailing list