installed package vulnerability checker for Red Hat/Centos?

Craig White craigwhite at azapple.com
Fri Sep 22 22:40:59 MST 2006


On Fri, 2006-09-22 at 17:57 -0700, der.hans wrote:
> Am 21. Sep, 2006 schwätzte Jeremy C. Reed so:
> 
> > Does anyone know of a tool for checking if installed packages on a CentOS
> > system have known vulnerabilities?
> 
> Not quite what you want, but the closest I know of for GNU/Linux
> distros...
> 
> debian and Ubuntu have their package list files up for the package
> managers. They also make the changelogs available, so you can see what
> was changed in a package before downloading it.
> 
> The update manager in Ubuntu 6.0.6 allows you to show details and get the
> changelog as part of the upgrade.
> 
> I don't know if RH has a similar mechanism for pulling up changelogs.
> 
> You can check for packages that have fixes for security problems by only
> having the security feed available for upgrade, but that's still not quite
> what you want, I think.
----
I've been staying out of this because I'm not sure of where this is
headed.

Red Hat / CentOS packaging changelogs can be inspected by doing things
like 

(remote packages)
 rpm -qp --changelog \
ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-22.EL.src.rpm

(installed packages)
rpm -q --changelog httpd

and of course you could grep the output for specific advisories...

# rpm -q --changelog httpd | grep CVE-2005-2700
- mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700)

or you could probably dump all the changelogs of all installed packages
into a text file and grep away...

rpm -qa --changelog > /tmp/changelogs.txt

so I'm not really sure that is everything Jeremy was looking for but
certainly an answer to Hans' doubt.

Craig



More information about the PLUG-discuss mailing list