Re: forming a security team for testing
On Thu, 28 Oct 2004, Joey Hess wrote:
> I've added a CVE/list also, with about 80 CVE's per year to add to the
> things to check. We've only got 130 more CAN's to check for 2004, plus
> the CVE's, and then we can start on 2003.
> Current list of security problems apparently unfixed in sarge:
> postgresql 7.4.6-1 needed, have 7.4.5-3 for CAN-2004-0977
> perl (unfixed; bug #278404) for CAN-2004-0976
> openssl (unfixed; bug #278260) for CAN-2004-0975
> apache2 2.0.53 needed, have 2.0.52-1 for CAN-2004-0885
> kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
was this list created/checked by a acript that it detected "have"
and "needed" ??
- "have" can be easy .. may ways to get that info ( dpkg )
- "needed" can tricky by parsing the SA or originating
- next step is to give that script the option to upgrade
only the selected package for the user's PC ??
- d/l and install the "needed" upgrades based on what
packages was previusly installed on the users page
- web page based - nah .. too much work for the user
to know which ones to apply ?
- maybe a new option "dpkg security-check" and "dpkg security-upgrade"
is all that is needed, since the rest of the infastructure is already