Bug#820614: marked as done (ITP: vuls -- package inventory scanner for CVE vulnerabilities)

To: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Subject: Bug#820614: marked as done (ITP: vuls -- package inventory scanner for CVE vulnerabilities)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 04 May 2018 12:03:07 +0000
Message-id: <[🔎] handler.820614.D820614.152543522728534.ackdone@bugs.debian.org>
Reply-to: 820614@bugs.debian.org
References: <E1fEZNw-0001qB-N0@fasolo.debian.org> <146029950412.23129.499261751376930886.reportbug@localhost>

Your message dated Fri, 04 May 2018 12:00:24 +0000
with message-id <E1fEZNw-0001qB-N0@fasolo.debian.org>
and subject line Bug#820614: fixed in vuls 0.4.2-1
has caused the Debian Bug report #820614,
regarding ITP: vuls -- package inventory scanner for CVE vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
820614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820614
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: vuls -- package inventory scanner for CVE vulnerabilities
From: Daniel Stender <stender@debian.org>
Date: Sun, 10 Apr 2016 16:45:04 +0200
Message-id: <146029950412.23129.499261751376930886.reportbug@localhost>

Package: wnpp
Severity: wishlist
Owner: Daniel Stender <stender@debian.org>

* Package name    : vuls
  Version         : 0.1.1
  Upstream Author : Kota Kanbe <kotakanbe@gmail.com>
* URL             : https://github.com/future-architect/vuls
* License         : GPL-3
  Programming Lang: Google Go
  Description     : package inventory scanner for CVE vulnerabilities

This is scanner which checks the package inventory against a local copy of
the National Vunerabilities Database (NVD) of vulnerabilities according to
their CVE (Common Vulnerabilities and Exposures) indentifiers. The backends
supports a couple of OSs (Debian, RHEL, CentOS, Amazon Linux). Scanning servers
over the network is possible.

A typical scan goes like (a Ubuntu 12.04 server via SSH):
<cut>
$ ./vuls scan
[Apr 10 16:21:02]  INFO [localhost] Validating Config...
[Apr 10 16:21:02]  INFO [localhost] Detecting OS... 
[Apr 10 16:21:06]  INFO [localhost] Scanning vulnerabilities... 
[Apr 10 16:21:06]  INFO [localhost] Check required packages for scanning...
[Apr 10 16:21:06]  INFO [localhost] Scanning vulnerable OS packages...
{...}
[Apr 10 16:21:44]  INFO [myserver:22] (1/22) Scanned libisccfg82-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (2/22) Scanned libisc83-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (3/22) Scanned libisccc80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (4/22) Scanned dnsutils-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (5/22) Scanned libgnutls26-2.12.14-5ubuntu3.11 : []
[Apr 10 16:21:44]  INFO [myserver:22] (6/22) Scanned liblwres80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (7/22) Scanned ca-certificates-20141019ubuntu0.12.04.1 : []
[Apr 10 16:21:44]  INFO [myserver:22] (8/22) Scanned bind9-host-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (9/22) Scanned libbind9-80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (10/22) Scanned libdns81-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286]
[Apr 10 16:21:44]  INFO [myserver:22] (11/22) Scanned libpcre3-8.12-4ubuntu0.1 : [CVE-2015-2327 CVE-2015-8382 CVE-2015-8385 {...}
[Apr 10 16:21:44]  INFO [myserver:22] (12/22) Scanned perl-base-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381]
[Apr 10 16:21:44]  INFO [myserver:22] (13/22) Scanned libpam0g-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583]
[Apr 10 16:21:44]  INFO [myserver:22] (14/22) Scanned openssl-1.0.1-4ubuntu5.33 : [CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 {...}
[Apr 10 16:21:44]  INFO [myserver:22] (15/22) Scanned libpam-modules-bin-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583]
[Apr 10 16:21:44]  INFO [myserver:22] (16/22) Scanned linux-generic-lts-trusty-3.13.0.79.71 : []
[Apr 10 16:21:44]  INFO [myserver:22] (17/22) Scanned libpam-modules-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583]
[Apr 10 16:21:44]  INFO [myserver:22] (18/22) Scanned perl-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381]
[Apr 10 16:21:45]  INFO [myserver:22] (19/22) Scanned libssl1.0.0-1.0.1-4ubuntu5.33 : [CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 {...}
[Apr 10 16:21:45]  INFO [myserver:22] (20/22) Scanned libpam-runtime-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583]
[Apr 10 16:21:46]  INFO [myserver:22] (21/22) Scanned tzdata-2015g-0ubuntu0.12.04 : []
[Apr 10 16:21:46]  INFO [myserver:22] (22/22) Scanned perl-modules-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381]
[Apr 10 16:21:46]  INFO [myserver:22] Fetching CVE details...
[Apr 10 16:21:46]  INFO [myserver:22] Done
[Apr 10 16:21:46]  INFO [localhost] Scanning vulnerable software specified in the CPE...
[Apr 10 16:21:46]  INFO [localhost] Reporting...
myserver (ubuntu 12.04)
=======================
CVE-2016-0799	10.0	The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2
             	    	before 1.0.2g improperly calculates string lengths, which allows remote attackers to
             	    	cause a denial of service (overflow and out-of-bounds read) or possibly have        
             	    	unspecified other impact via a long string, as demonstrated by a large amount of    
             	    	ASN.1 data, a different vulnerability than CVE-2016-2842.                           
CVE-2016-0705	10.0	Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c 
             	    	in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to   
             	    	cause a denial of service (memory corruption) or possibly have unspecified other    
             	    	impact via a malformed DSA private key.                                
CVE-2016-0798	7.8 	Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before     
             	    	1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service 
             	    	(memory consumption) by providing an invalid username in a connection attempt,      
             	    	related to apps/s_server.c and crypto/srp/srp_vfy.c.
{...}
</cut>

That's quite useful to have available for administration. I'm going to maintain this within
the Pkg-go group, the binary is going to be "vuls". WNPP bugs for the needed dependencies are
coming up.

Thank you very much,
DS

--- End Message ---

--- Begin Message ---

To: 820614-close@bugs.debian.org
Subject: Bug#820614: fixed in vuls 0.4.2-1
From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date: Fri, 04 May 2018 12:00:24 +0000
Message-id: <E1fEZNw-0001qB-N0@fasolo.debian.org>

Source: vuls
Source-Version: 0.4.2-1

We believe that the bug you reported is fixed in the latest version of
vuls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820614@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated vuls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 Nov 2017 10:18:47 +0900
Source: vuls
Binary: vuls
Architecture: source amd64
Version: 0.4.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description:
 vuls       - Vulnerability scanner for Linux/FreeBSD, agentless, written in Go
Closes: 820614
Changes:
 vuls (0.4.2-1) experimental; urgency=medium
 .
   * Initial release (Closes: #820614)
Checksums-Sha1:
 b98de8b0d9bf7fab3a32420858e648d955cb1720 3773 vuls_0.4.2-1.dsc
 ded4d67fbdc5d8aee88183d24321c839d25496c2 1401352 vuls_0.4.2.orig.tar.xz
 cb7ffaa0cef098399627e0a2ba7cb8b8c2899b7c 4700 vuls_0.4.2-1.debian.tar.xz
 c42e9ee244001cc7c6d891171f4d3103f903d859 1944464 vuls-dbgsym_0.4.2-1_amd64.deb
 991581fc2a1021074d42dbbad808b564ad6bf768 10868 vuls_0.4.2-1_amd64.buildinfo
 a1fd3d0dfa0a21327700c96e416b7634ba84b7bd 3613500 vuls_0.4.2-1_amd64.deb
Checksums-Sha256:
 0ac75bc89c74f37507611777172e1ecb7b5765126ac1b78e9cd65cd068fd9ee8 3773 vuls_0.4.2-1.dsc
 192aeab964d167ce45e7b974146a6d31ea306d9f7d96fc0fcf5b9df271b1fd99 1401352 vuls_0.4.2.orig.tar.xz
 5de03ea79542cdf4d4fadf17f84821da7e7c2fcc1d916d759af715f2823435e3 4700 vuls_0.4.2-1.debian.tar.xz
 f1460c2bd341d3887080e6ac8889460b2892589a7108445a1375916113476bda 1944464 vuls-dbgsym_0.4.2-1_amd64.deb
 64d2b7680ceafbd513c6c98d261b21a73baf26cb6993afd65d1eac7763d1f34a 10868 vuls_0.4.2-1_amd64.buildinfo
 231974773317a7f4c0ef456bbf5fba9ddfafb9a545d7564067885483eb7fca5c 3613500 vuls_0.4.2-1_amd64.deb
Files:
 9c6a636436354e110d3f3ff9ed74004f 3773 devel optional vuls_0.4.2-1.dsc
 85bfe02437e78d51f04900f2e277ad69 1401352 devel optional vuls_0.4.2.orig.tar.xz
 bcf7bfd419d185b93b28b86450d675c1 4700 devel optional vuls_0.4.2-1.debian.tar.xz
 19791833b1d5064f09f6eb314e116d00 1944464 debug optional vuls-dbgsym_0.4.2-1_amd64.deb
 d67d15b014e3c60fa51805f64f7c8cbc 10868 devel optional vuls_0.4.2-1_amd64.buildinfo
 be6ef0c4b5b9f06a465fbd096ed90b4b 3613500 devel optional vuls_0.4.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAlrgRLsACgkQMiR/u0Ct
H6ZObBAAihaHMVXXjyNXPB+QhTgefNVoF2x3VkdEdEh8ocvwRXTRS48ABn5dVqyG
c59fIR8CfWs+PNRMplesdZ/72HX3oF9rrBw9grjwKx7Xn45GZKSrXr7ArCYO57Ij
dgJ/xROMLCwh2mfD0mZ2eCRmqZNZqRolx5MRwySsGXr3mHDah+lh3JbF61T3MIIp
rtrt5poV2sQPI2QqGyfmEk+BiPP8DC/EZz001cwp35NtxxXIrNaeKyaymIn9tsLg
XomPWTRjCev74bHpkjS8UsAjAzCzNd6n9TXqR2vIXsv+Gc5SfS5EG+pMBK3NrS9K
qX8XuTCxQY6Nd8f8iR2f/zUiaXMFhGAIkZvXExLd405Iqueb7eSAKmNtGP5wdAsx
gKA93dKySeFTtoYWfD9Zl4GoHRaepps1xoWMhku7p+8qqp/GYPavSuCUNyMk0/De
ZfG9eCRFiLUPtDNEVD6CQiD20PKgemlgihFS53/3bVI6v/ClAqRJTMVgdDdv8wvE
SeHreZxF0xqJT97qDa0BdhQQdf6X4fW6t4wEHzSffO5ER6RrfytLhBTIA2cBUDmp
1TDkQ8TBe0iAaiArQO00XBMdtnMVT5cGPVlz+9xEuNadhP/035OkCYXIIJ4uk5+7
GodF1zF9kGPLaW0k2DO7EltOgOWKOWVibkD6OPmURCn70LGrj/g=
=gPcg
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#893772: marked as done (ITP: apertium-separable -- Reordering separable/discontiguous multiwords)
Next by Date: Bug#897396: marked as done (ITP: apertium-streamparser -- Python library to parse Apertium stream format)
Previous by thread: Bug#893772: marked as done (ITP: apertium-separable -- Reordering separable/discontiguous multiwords)
Next by thread: Bug#896770: marked as done (ITP: dired-rsync -- support for rsync from Emacs dired buffers)
Index(es):
- Date
- Thread