tech-security: Re: Dante; what exactly are security mechanisms of pkgsrc?

Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Stefan Schumacher <stefan@net-tex.de>
List: tech-security
Date: 07/12/2002 15:48:24

On Fri, 12 Jul 2002, Ing.,BcA. Ivan Dolezal wrote:

>
> [Dante-specific]
> I couldn't find any information on vulnerabilities of older Dante
> versions at securityfocus.com and by searching with google "dante socks
> vulnerability". This doesn't mean necessarily that there are no vulns, I
> just couldn't find them. Reading NEWS file in Dante distribution points
> some bugs that seem to be harmless, but maybe I just don't get the
> point. There is not any word "vulne*" or "explo*" anyway. Is this
> software really that bulletproof? I also couldn't find any mailing list
> like "dante-announcement."
> Could you give me some hint where to check Dante security?
> Is version 1.1.9 considered to be secure? Are all the latter versions
> just some cosmetic improvements?

There is a Dant CERT at http://www.dante.net/security/

> [pkgsrc]
> I don't really follow the sentence: "Note that we no longer issue
> advisories for thirdparty software packages (pkgsrc). Instead, an
> automated mechanism to audit installed binary package is provided in
> pkgsrc/security/audit-packages." I have no idea, what is behind "an
> automated mechanism".

There is a pkg called audit-packages, it provides two programs,
download-vulnerability-list which downloads the list and
audit-packages which audits your running system against this list, so
you get an output it compromised pkgs are found.

 _
/
|$ audit-packages
|Package openssh-3.0.2.1nb2 has a remote-root-shell vulnerability, see
|http://online.securityfocus.com/bid/5093
\_

Automated means you can run it by at or crontab

> If a package installed from pkgsrc is not audited as vulnerable, it can
> mean basically two things to me in a world of free software:
>
> - either it is not known as vulnerable,
> or
> - a vulnerabilities database used for an automated mechanism
>    wasn't loaded with the up-to-date data from the right place,
>    because nobody/nothing felt commited to do it

Thats right. You can have a look at the Database
and you will see that there are really a lot vulnerabilities listed and a lot
of sources for that vulnerabilities, like FreeBSD, securityfocus.com
cert.org and so on.


-- 
http://www.net-tex.de

All your platform are belong to us!
http://www.netbsd.org/Ports/alpha/