[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The harden-*flaws packages.


On Mon, Sep 02, 2002 at 03:09:28PM +0200, Javier Fernández-Sanguino Peña wrote:
> On Mon, Sep 02, 2002 at 08:47:53AM +0200, Ola Lundqvist wrote:
> > 
> > Yes. Luckily I just saw someone that have written a script that checks
> > the DSA:s and tell the maintainer that he/she has a vulnerable package.
> > That is a good solution (best?). The problem is that the DSA is 
> > not able to distinguish between local/remote/3rdparty flaws but
> > that is not always interesting.
> Why duplicate the work the Tiger package is already doing? I do not see the merit
> of checking *only* for DSAs published in the RDF file (since that RDF file is
> limited to a few DSAs only).

Well my thought was to check for all DSA:s which apparently this script do not.

> If you want a program to check for security flaws please use one designed for that
> precisely. Tiger is such a program. Just have the *flaws package recommend: or
> depend: on tiger.

On the other hand tigher does a lot of other things too. But the link
you gave me was very interesting.

> Of course, there is room for improvement, the DSAs could be parsed from the WML
> source to retrieve both the description *and* wether it's a local or remote issue
> and populate the report accordingly (it currently just checks against version
> packages) *also* we could provide MD5sums of know vulnerable packages (in the
> stable distribution and proposed-updates).
> Also, this information needs to be splitted off the package so it can work like
> antivirus updates. Thus, signature updates could go to proposed-updates without
> needing to update the program itself.

Agreed. Without having too much digging in tiger it might be a good
idea. The contact I have had with tiger is not very pleasant because it
bugged me with a lot of non-issues. That is maybe the reason why I
deinstalled it. :)


// Ola

> 	Regards
> 	Javi
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: