[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forming a security team for testing

hi joey

On Thu, 28 Oct 2004, Joey Hess wrote:

> I've added a CVE/list also, with about 80 CVE's per year to add to the
> things to check. We've only got 130 more CAN's to check for 2004, plus
> the CVE's, and then we can start on 2003.
> Current list of security problems apparently unfixed in sarge:
> postgresql 7.4.6-1 needed, have 7.4.5-3 for CAN-2004-0977
> perl (unfixed; bug #278404) for CAN-2004-0976
> openssl (unfixed; bug #278260) for CAN-2004-0975
> apache2 2.0.53 needed, have 2.0.52-1 for CAN-2004-0885
> kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746

was this list created/checked by a acript that it detected  "have" 
and "needed" ??
	- "have" can be easy .. may ways to get that info ( dpkg )
	- "needed" can tricky by parsing the SA or originating
	author's site

- next step is to give that script the option to upgrade
  only the selected package for the user's PC ??

	- d/l and install the "needed" upgrades based on what
	packages was previusly installed on the users page

	- web page based - nah .. too much work for the user 
	to know which ones to apply ?

- maybe a new option "dpkg security-check" and "dpkg security-upgrade" 
  is all that is needed, since the rest of the infastructure is already
  in place


Reply to: