Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
> More important is to know if you are vulnerable.
Yeah. I agree.
I purpose a slight addition to dpkg:
I think it's possible for a script to list all installed packages,
then check each of them against the bug report system to see if the
installed version has a security bug filed against it.
Maybe if some autmated system on the server would generate a
"Security.gz" or something else similar to the package list for apt?
I really don't know enough of the bug tracking system to know if this
is possible, but it opens up alot of possibilities if it is.
One could then run a cronjob (or whatever) for dpkg-secure and it
would report any of the packages that are both installed and have a
security-tagged bug assosiated with it.
The result, of course, would end up in whomever crond emails it's output to.
No insecure packages installed would generate no output and thus no email.
Maybe there could be two states? "Insecure, unpatched" and "insecure, patched"?
That way an output parser would know what to apt-get and what to
scream to root about.
The output might involve an address to the relevant bug report or even
parts of the report itself.
Ofcourse, any bugs that are kept "secret" because they're easy for
skiddies to reproduce (or whatever) would not show up here either.
Welcome to Earth. It's imperfect.
Anyone, feel free to pick apart my idea, and please inform me if such
a system exists and I've completely missed it.
Fredrik "Demonen" Vold
- Do not meddle in the affairs of dragons, for you are crunchy and
good with ketchup.