Subject: pkg/17368: security/audit-packages: several minor annoyances in the download-vulnerability-list script
To: None <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 06/23/2002 15:52:25
>Synopsis: security/audit-packages: several minor annoyances in the download-vulnerability-list script
>Arrival-Date: Sun Jun 23 12:53:00 PDT 2002
>Originator: Greg A. Woods
Planix, Inc.; Toronto, Ontario; Canada
System: NetBSD 1.5W
There are several minor annoyances in the
download-vulnerability-list script from
The 'ftp' command (the NetBSD variant), as used by the script,
generates unnecessary output about what addresses it's trying
and on an INET6 machine with no ipv6 visibility to the Interent
it's even more noisy. Oddly the real error message related to
the ipv6 attempt isn't shown though.
This output should be hidden (though of course any real error
messages generated by 'ftp' should be reported). Unfortunately
there doesn't seem to currently be a way to make ftp completely
quiet (-V doesn't work).
The downloaded file is left unreadable by anyone but whom ever
runs the script (root in my case as I run it from /etc/security)
This file should be left in mode 0444 or maybe 0644 (and of
course be owned by the user running the script).
here's a trimmed example of the extra output it causes...
[ On Sunday, June 23, 2002 at 06:54:38 (-0400), Proven Weird Charlie Root wrote: ]
> Subject: proven daily insecurity output for Sun Jun 23 03:30:00 EDT 2002
> Trying 3ffe:8050:201:1860:2a0:c9ff:feed:b7ea...
> Trying 188.8.131.52...
Note that a manual run of the same ftp command will also print:
ftp: connect to address 3ffe:8050:201:1860:2a0:c9ff:feed:b7ea: No route to host
before the second "Trying" line.
$ ls -l /usr/pkgsrc/distfiles/vulnerabilities
-rw------- 1 root wheel 14364 Jun 21 08:00 /usr/pkgsrc/distfiles/vulnevulnerabilities
The first problem will need some "smart" filtering of ftp's
output, or a fix to the 'ftp' command itself (though presumably
this script is expected to work on multiple platforms so
depending on some NetBSD-specific feature is not desirable).
the latter problem is easily fixed with a 'chmod 444' after a
successful download and replacement of any old file....